xref: /freebsd/contrib/ntp/NEWS (revision fb47a3769c514735bceb2822a64e5e70c3d2f7a4)
1--
2NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
3
4NOTE: this NEWS file will be undergoing more revisions.
5
6Focus: Security, Bug fixes, enhancements.
7
8Severity: MEDIUM
9
10This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
11vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
12provides 65 other non-security fixes and improvements:
13
14* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
15	association (LOW/MED)
16   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
17   References: Sec 3454 / CVE-2018-7185 / VU#961909
18   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
19   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
20	2.9 and 6.8.
21   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
22	score between 2.6 and 3.1
23   Summary:
24	The NTP Protocol allows for both non-authenticated and
25	authenticated associations, in client/server, symmetric (peer),
26	and several broadcast modes. In addition to the basic NTP
27	operational modes, symmetric mode and broadcast servers can
28	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
29	was inadvertently introduced into the protocol engine that
30	allows a non-authenticated zero-origin (reset) packet to reset
31	an authenticated interleaved peer association. If an attacker
32	can send a packet with a zero-origin timestamp and the source
33	IP address of the "other side" of an interleaved association,
34	the 'victim' ntpd will reset its association. The attacker must
35	continue sending these packets in order to maintain the
36	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
37	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
38	interleaved mode must be explicitly configured/enabled.
39   Mitigation:
40	Implement BCP-38.
41	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
42	    or the NTP Public Services Project Download Page.
43	If you are unable to upgrade to 4.2.8p11 or later and have
44	    'peer HOST xleave' lines in your ntp.conf file, remove the
45	    'xleave' option.
46	Have enough sources of time.
47	Properly monitor your ntpd instances.
48	If ntpd stops running, auto-restart it without -g .
49   Credit:
50   	This weakness was discovered by Miroslav Lichvar of Red Hat.
51
52* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
53	state (LOW/MED)
54   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
55   References: Sec 3453 / CVE-2018-7184 / VU#961909
56   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
57   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
58	Could score between 2.9 and 6.8.
59   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
60	Could score between 2.6 and 6.0.
61   Summary:
62   	The fix for NtpBug2952 was incomplete, and while it fixed one
63	problem it created another.  Specifically, it drops bad packets
64	before updating the "received" timestamp.  This means a
65	third-party can inject a packet with a zero-origin timestamp,
66	meaning the sender wants to reset the association, and the
67	transmit timestamp in this bogus packet will be saved as the
68	most recent "received" timestamp.  The real remote peer does
69	not know this value and this will disrupt the association until
70	the association resets.
71   Mitigation:
72	Implement BCP-38.
73	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
74	    or the NTP Public Services Project Download Page.
75	Use authentication with 'peer' mode.
76	Have enough sources of time.
77	Properly monitor your ntpd instances.
78	If ntpd stops running, auto-restart it without -g .
79   Credit:
80   	This weakness was discovered by Miroslav Lichvar of Red Hat.
81
82* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
83	peering (LOW)
84   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
85   References: Sec 3415 / CVE-2018-7170 / VU#961909
86   	       Sec 3012 / CVE-2016-1549 / VU#718152
87   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
88   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
89   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
90   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
91   Summary:
92	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
93	use a trustedkey and if one is not using the feature introduced in
94	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
95	specify which IPs can serve time, a malicious authenticated peer
96	-- i.e. one where the attacker knows the private symmetric key --
97	can create arbitrarily-many ephemeral associations in order to win
98	the clock selection of ntpd and modify a victim's clock.  Three
99	additional protections are offered in ntp-4.2.8p11.  One is the
100	new 'noepeer' directive, which disables symmetric passive
101	ephemeral peering. Another is the new 'ippeerlimit' directive,
102	which limits the number of peers that can be created from an IP.
103	The third extends the functionality of the 4th field in the
104	ntp.keys file to include specifying a subnet range.
105   Mitigation:
106	Implement BCP-38.
107	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
108	    or the NTP Public Services Project Download Page.
109	Use the 'noepeer' directive to prohibit symmetric passive
110	    ephemeral associations.
111	Use the 'ippeerlimit' directive to limit the number of peers
112	    that can be created from an IP.
113	Use the 4th argument in the ntp.keys file to limit the IPs and
114	    subnets that can be time servers.
115	Have enough sources of time.
116	Properly monitor your ntpd instances.
117	If ntpd stops running, auto-restart it without -g .
118   Credit:
119	This weakness was reported as Bug 3012 by Matthew Van Gundy of
120	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
121
122* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
123   Date Resolved: 27 Feb 2018
124   References: Sec 3414 / CVE-2018-7183 / VU#961909
125   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
126   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
127   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
128   Summary:
129   	ntpq is a monitoring and control program for ntpd.  decodearr()
130	is an internal function of ntpq that is used to -- wait for it --
131	decode an array in a response string when formatted data is being
132	displayed.  This is a problem in affected versions of ntpq if a
133	maliciously-altered ntpd returns an array result that will trip this
134	bug, or if a bad actor is able to read an ntpq request on its way to
135	a remote ntpd server and forge and send a response before the remote
136	ntpd sends its response.  It's potentially possible that the
137	malicious data could become injectable/executable code.
138   Mitigation:
139	Implement BCP-38.
140	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
141	    or the NTP Public Services Project Download Page.
142   Credit:
143	This weakness was discovered by Michael Macnair of Thales e-Security.
144
145* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
146	behavior and information leak (Info/Medium)
147   Date Resolved: 27 Feb 2018
148   References: Sec 3412 / CVE-2018-7182 / VU#961909
149   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
150   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
151   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
152	0.0 if C:N
153   Summary:
154	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
155	A malicious mode 6 packet can be sent to an ntpd instance, and
156	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
157	cause ctl_getitem() to read past the end of its buffer.
158   Mitigation:
159	Implement BCP-38.
160	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
161	    or the NTP Public Services Project Download Page.
162	Have enough sources of time.
163	Properly monitor your ntpd instances.
164	If ntpd stops running, auto-restart it without -g .
165   Credit:
166   	This weakness was discovered by Yihan Lian of Qihoo 360.
167
168* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
169   Also see Bug 3415, above.
170   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
171   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
172   References: Sec 3012 / CVE-2016-1549 / VU#718152
173   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
174	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
175   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
176   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
177   Summary:
178	ntpd can be vulnerable to Sybil attacks.  If a system is set up
179	to use a trustedkey and if one is not using the feature
180	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
181	ntp.keys file to specify which IPs can serve time, a malicious
182	authenticated peer -- i.e. one where the attacker knows the
183	private symmetric key -- can create arbitrarily-many ephemeral
184	associations in order to win the clock selection of ntpd and
185	modify a victim's clock.  Two additional protections are
186	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
187	disables symmetric passive ephemeral peering. The other extends
188	the functionality of the 4th field in the ntp.keys file to
189	include specifying a subnet range.
190   Mitigation:
191	Implement BCP-38.
192	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
193	    the NTP Public Services Project Download Page.
194	Use the 'noepeer' directive to prohibit symmetric passive
195	    ephemeral associations.
196	Use the 'ippeerlimit' directive to limit the number of peer
197	    associations from an IP.
198	Use the 4th argument in the ntp.keys file to limit the IPs
199	    and subnets that can be time servers.
200	Properly monitor your ntpd instances.
201   Credit:
202   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
203
204* Bug fixes:
205 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
206 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
207 - applied patch by Sean Haugh
208 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
209 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
210 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
211 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
212 - refactoring the MAC code, too
213 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
214 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
215 - applied patch by ggarvey
216 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
217 - applied patch by ggarvey (with minor mods)
218 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
219 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
220 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
221 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
222 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
223 - fixed several issues with hash algos in ntpd, sntp, ntpq,
224   ntpdc and the test suites <perlinger@ntp.org>
225 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
226 - initial patch by Daniel Pouzzner
227 [Bug 3423] QNX adjtime() implementation error checking is
228 wrong <perlinger@ntp.org>
229 [Bug 3417] ntpq ifstats packet counters can be negative
230 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
231 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
232 - raised receive buffer size to 1200 <perlinger@ntp.org>
233 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
234 analysis tool. <abe@ntp.org>
235 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
236 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
237 - fix/drop assumptions on OpenSSL libs directory layout
238 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
239 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
240 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
241 - patch contributed by Alexander Bluhm
242 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
243 rework of formatting & data transfer stuff in 'ntp_control.c'
244 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
245 [Bug 3394] Leap second deletion does not work on ntpd clients
246 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
247 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
248 - increased mimimum stack size to 32kB <perlinger@ntp.org>
249 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
250 - reverted handling of PPS kernel consumer to 4.2.6 behavior
251 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
252 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
253 [Bug 3016] wrong error position reported for bad ":config pool"
254 - fixed location counter & ntpq output <perlinger@ntp.org>
255 [Bug 2900] libntp build order problem.  HStenn.
256 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
257 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
258 perlinger@ntp.org
259 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
260 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
261 Use strlcpy() to copy strings, not memcpy().  HStenn.
262 Typos.  HStenn.
263 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
264 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
265 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
266 Fix trivial warnings from 'make check'. perlinger@ntp.org
267 Fix bug in the override portion of the compiler hardening macro. HStenn.
268 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
269 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
270 sntp: tweak key file logging.  HStenn.
271 sntp: pkt_output(): Improve debug output.  HStenn.
272 update-leap: updates from Paul McMath.
273 When using pkg-config, report --modversion.  HStenn.
274 Clean up libevent configure checks.  HStenn.
275 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
276 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
277 authistrustedip() - use it in more places.  HStenn, JPerlinger.
278 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
279 Update ntp.keys .../N documentation.  HStenn.
280 Distribute testconf.yml.  HStenn.
281 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
282 Rename the configuration flag fifo variables.  HStenn.
283 Improve saveconfig output.  HStenn.
284 Decode restrict flags on receive() debug output.  HStenn.
285 Decode interface flags on receive() debug output.  HStenn.
286 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
287 Update the documentation in ntp.conf.def .  HStenn.
288 restrictions() must return restrict flags and ippeerlimit.  HStenn.
289 Update ntpq peer documentation to describe the 'p' type.  HStenn.
290 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
291 Provide dump_restricts() for debugging.  HStenn.
292 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
293
294* Other items:
295
296* update-leap needs the following perl modules:
297	Net::SSLeay
298	IO::Socket::SSL
299
300* New sysstats variables: sys_lamport, sys_tsrounding
301See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
302sys_lamport counts the number of observed Lamport violations, while
303sys_tsrounding counts observed timestamp rounding events.
304
305* New ntp.conf items:
306
307- restrict ... noepeer
308- restrict ... ippeerlimit N
309
310The 'noepeer' directive will disallow all ephemeral/passive peer
311requests.
312
313The 'ippeerlimit' directive limits the number of time associations
314for each IP in the designated set of addresses.  This limit does not
315apply to explicitly-configured associations.  A value of -1, the current
316default, means an unlimited number of associations may connect from a
317single IP.  0 means "none", etc.  Ordinarily the only way multiple
318associations would come from the same IP would be if the remote side
319was using a proxy.  But a trusted machine might become compromised,
320in which case an attacker might spin up multiple authenticated sessions
321from different ports.  This directive should be helpful in this case.
322
323* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
324field may contain a /subnetbits specification, which identifies  the
325scope of IPs that may use this key.  This IP/subnet restriction can be
326used to limit the IPs that may use the key in most all situations where
327a key is used.
328--
329NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
330
331Focus: Security, Bug fixes, enhancements.
332
333Severity: MEDIUM
334
335This release fixes 5 medium-, 6 low-, and 4 informational-severity
336vulnerabilities, and provides 15 other non-security fixes and improvements:
337
338* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
339   Date Resolved: 21 Mar 2017
340   References: Sec 3389 / CVE-2017-6464 / VU#325339
341   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
342	ntp-4.3.0 up to, but not including ntp-4.3.94.
343   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
344   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
345   Summary:
346	A vulnerability found in the NTP server makes it possible for an
347	authenticated remote user to crash ntpd via a malformed mode
348	configuration directive.
349   Mitigation:
350	Implement BCP-38.
351	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
352	    the NTP Public Services Project Download Page
353	Properly monitor your ntpd instances, and auto-restart
354	    ntpd (without -g) if it stops running.
355   Credit:
356	This weakness was discovered by Cure53.
357
358* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
359    Date Resolved: 21 Mar 2017
360    References: Sec 3388 / CVE-2017-6462 / VU#325339
361    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
362    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
363    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
364    Summary:
365	There is a potential for a buffer overflow in the legacy Datum
366	Programmable Time Server refclock driver.  Here the packets are
367	processed from the /dev/datum device and handled in
368	datum_pts_receive().  Since an attacker would be required to
369	somehow control a malicious /dev/datum device, this does not
370	appear to be a practical attack and renders this issue "Low" in
371	terms of severity.
372   Mitigation:
373	If you have a Datum reference clock installed and think somebody
374	    may maliciously change the device, upgrade to 4.2.8p10, or
375	    later, from the NTP Project Download Page or the NTP Public
376	    Services Project Download Page
377	Properly monitor your ntpd instances, and auto-restart
378	    ntpd (without -g) if it stops running.
379   Credit:
380	This weakness was discovered by Cure53.
381
382* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
383   Date Resolved: 21 Mar 2017
384   References: Sec 3387 / CVE-2017-6463 / VU#325339
385   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
386	ntp-4.3.0 up to, but not including ntp-4.3.94.
387   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
388   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
389   Summary:
390	A vulnerability found in the NTP server allows an authenticated
391	remote attacker to crash the daemon by sending an invalid setting
392	via the :config directive.  The unpeer option expects a number or
393	an address as an argument.  In case the value is "0", a
394	segmentation fault occurs.
395   Mitigation:
396	Implement BCP-38.
397	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
398	    or the NTP Public Services Project Download Page
399	Properly monitor your ntpd instances, and auto-restart
400	    ntpd (without -g) if it stops running.
401   Credit:
402	This weakness was discovered by Cure53.
403
404* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
405   Date Resolved: 21 Mar 2017
406   References: Sec 3386
407   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
408	ntp-4.3.0 up to, but not including ntp-4.3.94.
409   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
410   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
411   Summary:
412	The NTP Mode 6 monitoring and control client, ntpq, uses the
413	function ntpq_stripquotes() to remove quotes and escape characters
414	from a given string.  According to the documentation, the function
415	is supposed to return the number of copied bytes but due to
416	incorrect pointer usage this value is always zero.  Although the
417	return value of this function is never used in the code, this
418	flaw could lead to a vulnerability in the future.  Since relying
419	on wrong return values when performing memory operations is a
420	dangerous practice, it is recommended to return the correct value
421	in accordance with the documentation pertinent to the code.
422   Mitigation:
423	Implement BCP-38.
424	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
425	    or the NTP Public Services Project Download Page
426	Properly monitor your ntpd instances, and auto-restart
427	    ntpd (without -g) if it stops running.
428   Credit:
429	This weakness was discovered by Cure53.
430
431* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
432   Date Resolved: 21 Mar 2017
433   References: Sec 3385
434   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
435	ntp-4.3.0 up to, but not including ntp-4.3.94.
436   Summary:
437	NTP makes use of several wrappers around the standard heap memory
438	allocation functions that are provided by libc.  This is mainly
439	done to introduce additional safety checks concentrated on
440	several goals.  First, they seek to ensure that memory is not
441	accidentally freed, secondly they verify that a correct amount
442	is always allocated and, thirdly, that allocation failures are
443	correctly handled.  There is an additional implementation for
444	scenarios where memory for a specific amount of items of the
445	same size needs to be allocated.  The handling can be found in
446	the oreallocarray() function for which a further number-of-elements
447	parameter needs to be provided.  Although no considerable threat
448	was identified as tied to a lack of use of this function, it is
449	recommended to correctly apply oreallocarray() as a preferred
450	option across all of the locations where it is possible.
451   Mitigation:
452	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
453	    or the NTP Public Services Project Download Page
454   Credit:
455	This weakness was discovered by Cure53.
456
457* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
458	PPSAPI ONLY) (Low)
459   Date Resolved: 21 Mar 2017
460   References: Sec 3384 / CVE-2017-6455 / VU#325339
461   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
462	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
463	including ntp-4.3.94.
464   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
465   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
466   Summary:
467	The Windows NT port has the added capability to preload DLLs
468	defined in the inherited global local environment variable
469	PPSAPI_DLLS.  The code contained within those libraries is then
470	called from the NTPD service, usually running with elevated
471	privileges. Depending on how securely the machine is setup and
472	configured, if ntpd is configured to use the PPSAPI under Windows
473	this can easily lead to a code injection.
474   Mitigation:
475	Implement BCP-38.
476	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
477	    or the NTP Public Services Project Download Page
478   Credit:
479   This weakness was discovered by Cure53.
480
481* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
482	installer ONLY) (Low)
483   Date Resolved: 21 Mar 2017
484   References: Sec 3383 / CVE-2017-6452 / VU#325339
485   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
486	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
487	to, but not including ntp-4.3.94.
488   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
489   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
490   Summary:
491	The Windows installer for NTP calls strcat(), blindly appending
492	the string passed to the stack buffer in the addSourceToRegistry()
493	function.  The stack buffer is 70 bytes smaller than the buffer
494	in the calling main() function.  Together with the initially
495	copied Registry path, the combination causes a stack buffer
496	overflow and effectively overwrites the stack frame.  The
497	passed application path is actually limited to 256 bytes by the
498	operating system, but this is not sufficient to assure that the
499	affected stack buffer is consistently protected against
500	overflowing at all times.
501   Mitigation:
502	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
503	or the NTP Public Services Project Download Page
504   Credit:
505	This weakness was discovered by Cure53.
506
507* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
508	installer ONLY) (Low)
509   Date Resolved: 21 Mar 2017
510   References: Sec 3382 / CVE-2017-6459 / VU#325339
511   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
512	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
513	up to, but not including ntp-4.3.94.
514   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
515   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
516   Summary:
517	The Windows installer for NTP calls strcpy() with an argument
518	that specifically contains multiple null bytes.  strcpy() only
519	copies a single terminating null character into the target
520	buffer instead of copying the required double null bytes in the
521	addKeysToRegistry() function.  As a consequence, a garbage
522	registry entry can be created.  The additional arsize parameter
523	is erroneously set to contain two null bytes and the following
524	call to RegSetValueEx() claims to be passing in a multi-string
525	value, though this may not be true.
526   Mitigation:
527	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
528	    or the NTP Public Services Project Download Page
529   Credit:
530	This weakness was discovered by Cure53.
531
532* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
533   References: Sec 3381
534   Summary:
535	The report says: Statically included external projects
536	potentially introduce several problems and the issue of having
537	extensive amounts of code that is "dead" in the resulting binary
538	must clearly be pointed out.  The unnecessary unused code may or
539	may not contain bugs and, quite possibly, might be leveraged for
540	code-gadget-based branch-flow redirection exploits.  Analogically,
541	having source trees statically included as well means a failure
542	in taking advantage of the free feature for periodical updates.
543	This solution is offered by the system's Package Manager. The
544	three libraries identified are libisc, libevent, and libopts.
545   Resolution:
546	For libisc, we already only use a portion of the original library.
547	We've found and fixed bugs in the original implementation (and
548	offered the patches to ISC), and plan to see what has changed
549	since we last upgraded the code.  libisc is generally not
550	installed, and when it it we usually only see the static libisc.a
551	file installed.  Until we know for sure that the bugs we've found
552	and fixed are fixed upstream, we're better off with the copy we
553	are using.
554
555        Version 1 of libevent was the only production version available
556	until recently, and we've been requiring version 2 for a long time.
557	But if the build system has at least version 2 of libevent
558	installed, we'll use the version that is installed on the system.
559	Otherwise, we provide a copy of libevent that we know works.
560
561        libopts is provided by GNU AutoGen, and that library and package
562	undergoes frequent API version updates.  The version of autogen
563	used to generate the tables for the code must match the API
564	version in libopts.  AutoGen can be ... difficult to build and
565	install, and very few developers really need it.  So we have it
566	on our build and development machines, and we provide the
567	specific version of the libopts code in the distribution to make
568	sure that the proper API version of libopts is available.
569
570        As for the point about there being code in these libraries that
571	NTP doesn't use, OK.  But other packages used these libraries as
572	well, and it is reasonable to assume that other people are paying
573	attention to security and code quality issues for the overall
574	libraries.  It takes significant resources to analyze and
575	customize these libraries to only include what we need, and to
576	date we believe the cost of this effort does not justify the benefit.
577   Credit:
578	This issue was discovered by Cure53.
579
580* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
581   Date Resolved: 21 Mar 2017
582   References: Sec 3380
583   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
584   	ntp-4.3.0 up to, but not including ntp-4.3.94.
585   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
586   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
587   Summary:
588	There is a fencepost error in a "recovery branch" of the code for
589	the Oncore GPS receiver if the communication link to the ONCORE
590	is weak / distorted and the decoding doesn't work.
591   Mitigation:
592        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
593	    the NTP Public Services Project Download Page
594        Properly monitor your ntpd instances, and auto-restart
595	    ntpd (without -g) if it stops running.
596   Credit:
597	This weakness was discovered by Cure53.
598
599* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
600   Date Resolved: 21 Mar 2017
601   References: Sec 3379 / CVE-2017-6458 / VU#325339
602   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
603	ntp-4.3.0 up to, but not including ntp-4.3.94.
604   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
605   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
606   Summary:
607	ntpd makes use of different wrappers around ctl_putdata() to
608	create name/value ntpq (mode 6) response strings.  For example,
609	ctl_putstr() is usually used to send string data (variable names
610	or string data).  The formatting code was missing a length check
611	for variable names.  If somebody explicitly created any unusually
612	long variable names in ntpd (longer than 200-512 bytes, depending
613	on the type of variable), then if any of these variables are
614	added to the response list it would overflow a buffer.
615   Mitigation:
616	Implement BCP-38.
617	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
618	    or the NTP Public Services Project Download Page
619	If you don't want to upgrade, then don't setvar variable names
620	    longer than 200-512 bytes in your ntp.conf file.
621	Properly monitor your ntpd instances, and auto-restart
622	    ntpd (without -g) if it stops running.
623   Credit:
624	This weakness was discovered by Cure53.
625
626* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
627   Date Resolved: 21 Mar 2017
628   References: Sec 3378 / CVE-2017-6451 / VU#325339
629   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
630	ntp-4.3.0 up to, but not including ntp-4.3.94.
631   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
632   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
633   Summary:
634	The legacy MX4200 refclock is only built if is specifically
635	enabled, and furthermore additional code changes are required to
636	compile and use it.  But it uses the libc functions snprintf()
637	and vsnprintf() incorrectly, which can lead to an out-of-bounds
638	memory write due to an improper handling of the return value of
639	snprintf()/vsnprintf().  Since the return value is used as an
640	iterator and it can be larger than the buffer's size, it is
641	possible for the iterator to point somewhere outside of the
642	allocated buffer space.  This results in an out-of-bound memory
643	write.  This behavior can be leveraged to overwrite a saved
644	instruction pointer on the stack and gain control over the
645	execution flow.  During testing it was not possible to identify
646	any malicious usage for this vulnerability.  Specifically, no
647	way for an attacker to exploit this vulnerability was ultimately
648	unveiled.  However, it has the potential to be exploited, so the
649	code should be fixed.
650   Mitigation, if you have a Magnavox MX4200 refclock:
651	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
652	    or the NTP Public Services Project Download Page.
653	Properly monitor your ntpd instances, and auto-restart
654	    ntpd (without -g) if it stops running.
655   Credit:
656	This weakness was discovered by Cure53.
657
658* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
659	malicious ntpd (Medium)
660   Date Resolved: 21 Mar 2017
661   References: Sec 3377 / CVE-2017-6460 / VU#325339
662   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
663	ntp-4.3.0 up to, but not including ntp-4.3.94.
664   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
665   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
666   Summary:
667	A stack buffer overflow in ntpq can be triggered by a malicious
668	ntpd server when ntpq requests the restriction list from the server.
669	This is due to a missing length check in the reslist() function.
670	It occurs whenever the function parses the server's response and
671	encounters a flagstr variable of an excessive length.  The string
672	will be copied into a fixed-size buffer, leading to an overflow on
673	the function's stack-frame.  Note well that this problem requires
674	a malicious server, and affects ntpq, not ntpd.
675   Mitigation:
676	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
677	    or the NTP Public Services Project Download Page
678	If you can't upgrade your version of ntpq then if you want to know
679	    the reslist of an instance of ntpd that you do not control,
680	    know that if the target ntpd is malicious that it can send back
681	    a response that intends to crash your ntpq process.
682   Credit:
683	This weakness was discovered by Cure53.
684
685* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
686   Date Resolved: 21 Mar 2017
687   References: Sec 3376
688   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
689	ntp-4.3.0 up to, but not including ntp-4.3.94.
690   CVSS2: N/A
691   CVSS3: N/A
692   Summary:
693	The build process for NTP has not, by default, provided compile
694	or link flags to offer "hardened" security options.  Package
695	maintainers have always been able to provide hardening security
696	flags for their builds.  As of ntp-4.2.8p10, the NTP build
697	system has a way to provide OS-specific hardening flags.  Please
698	note that this is still not a really great solution because it
699	is specific to NTP builds.  It's inefficient to have every
700	package supply, track and maintain this information for every
701	target build.  It would be much better if there was a common way
702	for OSes to provide this information in a way that arbitrary
703	packages could benefit from it.
704   Mitigation:
705	Implement BCP-38.
706	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
707	    or the NTP Public Services Project Download Page
708	Properly monitor your ntpd instances, and auto-restart
709	    ntpd (without -g) if it stops running.
710   Credit:
711	This weakness was reported by Cure53.
712
713* 0rigin DoS (Medium)
714   Date Resolved: 21 Mar 2017
715   References: Sec 3361 / CVE-2016-9042 / VU#325339
716   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
717   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
718   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
719   Summary:
720	An exploitable denial of service vulnerability exists in the
721	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
722	crafted unauthenticated network packet can be used to reset the
723	expected origin timestamp for target peers.  Legitimate replies
724	from targeted peers will fail the origin timestamp check (TEST2)
725	causing the reply to be dropped and creating a denial of service
726	condition.  This vulnerability can only be exploited if the
727	attacker can spoof all of the servers.
728   Mitigation:
729	Implement BCP-38.
730	Configure enough servers/peers that an attacker cannot target
731	    all of your time sources.
732	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
733	    or the NTP Public Services Project Download Page
734	Properly monitor your ntpd instances, and auto-restart
735	    ntpd (without -g) if it stops running.
736   Credit:
737	This weakness was discovered by Matthew Van Gundy of Cisco.
738
739Other fixes:
740
741* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
742* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
743  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
744* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
745* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
746  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
747  - original patch by Majdi S. Abbas
748* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
749* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
750  - initial patch by Christos Zoulas
751* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
752  - move loader API from 'inline' to proper source
753  - augment pathless dlls with absolute path to NTPD
754  - use 'msyslog()' instead of 'printf() 'for reporting trouble
755* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
756  - applied patch by Matthew Van Gundy
757* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
758  - applied some of the patches provided by Havard. Not all of them
759    still match the current code base, and I did not touch libopt.
760* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
761  - applied patch by Reinhard Max. See bugzilla for limitations.
762* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
763  - fixed dependency inversion from [Bug 2837]
764* [Bug 2896] Nothing happens if minsane < maxclock < minclock
765  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
766* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
767  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
768* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
769  - Fixed these and some more locations of this pattern.
770    Probably din't get them all, though. <perlinger@ntp.org>
771* Update copyright year.
772
773--
774(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
775
776* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
777  - added missed changeset for automatic openssl lib detection
778  - fixed some minor warning issues
779* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
780* configure.ac cleanup.  stenn@ntp.org
781* openssl configure cleanup.  stenn@ntp.org
782
783--
784NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
785
786Focus: Security, Bug fixes, enhancements.
787
788Severity: HIGH
789
790In addition to bug fixes and enhancements, this release fixes the
791following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
7925 low-severity vulnerabilities, and provides 28 other non-security
793fixes and improvements:
794
795* Trap crash
796   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
797   References: Sec 3119 / CVE-2016-9311 / VU#633847
798   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
799   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
800   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
801   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
802   Summary:
803	ntpd does not enable trap service by default. If trap service
804	has been explicitly enabled, an attacker can send a specially
805	crafted packet to cause a null pointer dereference that will
806	crash ntpd, resulting in a denial of service.
807   Mitigation:
808        Implement BCP-38.
809	Use "restrict default noquery ..." in your ntp.conf file. Only
810	    allow mode 6 queries from trusted networks and hosts.
811        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
812	    or the NTP Public Services Project Download Page
813        Properly monitor your ntpd instances, and auto-restart ntpd
814	    (without -g) if it stops running.
815   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
816
817* Mode 6 information disclosure and DDoS vector
818   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
819   References: Sec 3118 / CVE-2016-9310 / VU#633847
820   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
821	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
822   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
823   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
824   Summary:
825	An exploitable configuration modification vulnerability exists
826	in the control mode (mode 6) functionality of ntpd. If, against
827	long-standing BCP recommendations, "restrict default noquery ..."
828	is not specified, a specially crafted control mode packet can set
829	ntpd traps, providing information disclosure and DDoS
830	amplification, and unset ntpd traps, disabling legitimate
831	monitoring. A remote, unauthenticated, network attacker can
832	trigger this vulnerability.
833   Mitigation:
834        Implement BCP-38.
835	Use "restrict default noquery ..." in your ntp.conf file.
836        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
837	    or the NTP Public Services Project Download Page
838        Properly monitor your ntpd instances, and auto-restart ntpd
839	    (without -g) if it stops running.
840   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
841
842* Broadcast Mode Replay Prevention DoS
843   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
844   References: Sec 3114 / CVE-2016-7427 / VU#633847
845   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
846	ntp-4.3.90 up to, but not including ntp-4.3.94.
847   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
848   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
849   Summary:
850	The broadcast mode of NTP is expected to only be used in a
851	trusted network. If the broadcast network is accessible to an
852	attacker, a potentially exploitable denial of service
853	vulnerability in ntpd's broadcast mode replay prevention
854	functionality can be abused. An attacker with access to the NTP
855	broadcast domain can periodically inject specially crafted
856	broadcast mode NTP packets into the broadcast domain which,
857	while being logged by ntpd, can cause ntpd to reject broadcast
858	mode packets from legitimate NTP broadcast servers.
859   Mitigation:
860        Implement BCP-38.
861        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
862	    or the NTP Public Services Project Download Page
863        Properly monitor your ntpd instances, and auto-restart ntpd
864	    (without -g) if it stops running.
865   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
866
867* Broadcast Mode Poll Interval Enforcement DoS
868   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
869   References: Sec 3113 / CVE-2016-7428 / VU#633847
870   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
871	ntp-4.3.90 up to, but not including ntp-4.3.94
872   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
873   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
874   Summary:
875	The broadcast mode of NTP is expected to only be used in a
876	trusted network. If the broadcast network is accessible to an
877	attacker, a potentially exploitable denial of service
878	vulnerability in ntpd's broadcast mode poll interval enforcement
879	functionality can be abused. To limit abuse, ntpd restricts the
880	rate at which each broadcast association will process incoming
881	packets. ntpd will reject broadcast mode packets that arrive
882	before the poll interval specified in the preceding broadcast
883	packet expires. An attacker with access to the NTP broadcast
884	domain can send specially crafted broadcast mode NTP packets to
885	the broadcast domain which, while being logged by ntpd, will
886	cause ntpd to reject broadcast mode packets from legitimate NTP
887	broadcast servers.
888   Mitigation:
889        Implement BCP-38.
890        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
891	    or the NTP Public Services Project Download Page
892        Properly monitor your ntpd instances, and auto-restart ntpd
893	    (without -g) if it stops running.
894   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
895
896* Windows: ntpd DoS by oversized UDP packet
897   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
898   References: Sec 3110 / CVE-2016-9312 / VU#633847
899   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
900	and ntp-4.3.0 up to, but not including ntp-4.3.94.
901   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
902   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
903   Summary:
904	If a vulnerable instance of ntpd on Windows receives a crafted
905	malicious packet that is "too big", ntpd will stop working.
906   Mitigation:
907        Implement BCP-38.
908        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
909	    or the NTP Public Services Project Download Page
910        Properly monitor your ntpd instances, and auto-restart ntpd
911	    (without -g) if it stops running.
912   Credit: This weakness was discovered by Robert Pajak of ABB.
913
914* 0rigin (zero origin) issues
915   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
916   References: Sec 3102 / CVE-2016-7431 / VU#633847
917   Affects: ntp-4.2.8p8, and ntp-4.3.93.
918   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
919   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
920   Summary:
921	Zero Origin timestamp problems were fixed by Bug 2945 in
922	ntp-4.2.8p6. However, subsequent timestamp validation checks
923	introduced a regression in the handling of some Zero origin
924	timestamp checks.
925   Mitigation:
926        Implement BCP-38.
927        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
928	    or the NTP Public Services Project Download Page
929        Properly monitor your ntpd instances, and auto-restart ntpd
930	    (without -g) if it stops running.
931   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
932	Malhotra of Boston University.
933
934* read_mru_list() does inadequate incoming packet checks
935   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
936   References: Sec 3082 / CVE-2016-7434 / VU#633847
937   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
938	ntp-4.3.0 up to, but not including ntp-4.3.94.
939   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
940   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
941   Summary:
942	If ntpd is configured to allow mrulist query requests from a
943	server that sends a crafted malicious packet, ntpd will crash
944	on receipt of that crafted malicious mrulist query packet.
945   Mitigation:
946	Only allow mrulist query packets from trusted hosts.
947        Implement BCP-38.
948        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
949	    or the NTP Public Services Project Download Page
950        Properly monitor your ntpd instances, and auto-restart ntpd
951	    (without -g) if it stops running.
952   Credit: This weakness was discovered by Magnus Stubman.
953
954* Attack on interface selection
955   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
956   References: Sec 3072 / CVE-2016-7429 / VU#633847
957   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
958	ntp-4.3.0 up to, but not including ntp-4.3.94
959   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
960   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
961   Summary:
962	When ntpd receives a server response on a socket that corresponds
963	to a different interface than was used for the request, the peer
964	structure is updated to use the interface for new requests. If
965	ntpd is running on a host with multiple interfaces in separate
966	networks and the operating system doesn't check source address in
967	received packets (e.g. rp_filter on Linux is set to 0), an
968	attacker that knows the address of the source can send a packet
969	with spoofed source address which will cause ntpd to select wrong
970	interface for the source and prevent it from sending new requests
971	until the list of interfaces is refreshed, which happens on
972	routing changes or every 5 minutes by default. If the attack is
973	repeated often enough (once per second), ntpd will not be able to
974	synchronize with the source.
975   Mitigation:
976        Implement BCP-38.
977        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
978	    or the NTP Public Services Project Download Page
979	If you are going to configure your OS to disable source address
980	    checks, also configure your firewall configuration to control
981	    what interfaces can receive packets from what networks.
982        Properly monitor your ntpd instances, and auto-restart ntpd
983	    (without -g) if it stops running.
984   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
985
986* Client rate limiting and server responses
987   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
988   References: Sec 3071 / CVE-2016-7426 / VU#633847
989   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
990	ntp-4.3.0 up to, but not including ntp-4.3.94
991   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
992   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
993   Summary:
994	When ntpd is configured with rate limiting for all associations
995	(restrict default limited in ntp.conf), the limits are applied
996	also to responses received from its configured sources. An
997	attacker who knows the sources (e.g., from an IPv4 refid in
998	server response) and knows the system is (mis)configured in this
999	way can periodically send packets with spoofed source address to
1000	keep the rate limiting activated and prevent ntpd from accepting
1001	valid responses from its sources.
1002
1003	While this blanket rate limiting can be useful to prevent
1004	brute-force attacks on the origin timestamp, it allows this DoS
1005	attack. Similarly, it allows the attacker to prevent mobilization
1006	of ephemeral associations.
1007   Mitigation:
1008        Implement BCP-38.
1009        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1010	    or the NTP Public Services Project Download Page
1011        Properly monitor your ntpd instances, and auto-restart ntpd
1012	    (without -g) if it stops running.
1013   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1014
1015* Fix for bug 2085 broke initial sync calculations
1016   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1017   References: Sec 3067 / CVE-2016-7433 / VU#633847
1018   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1019	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1020	root-distance calculation in general is incorrect in all versions
1021	of ntp-4 until this release.
1022   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1023   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1024   Summary:
1025	Bug 2085 described a condition where the root delay was included
1026	twice, causing the jitter value to be higher than expected. Due
1027	to a misinterpretation of a small-print variable in The Book, the
1028	fix for this problem was incorrect, resulting in a root distance
1029	that did not include the peer dispersion. The calculations and
1030	formulae have been reviewed and reconciled, and the code has been
1031	updated accordingly.
1032   Mitigation:
1033        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1034	    or the NTP Public Services Project Download Page
1035        Properly monitor your ntpd instances, and auto-restart ntpd
1036	    (without -g) if it stops running.
1037   Credit: This weakness was discovered independently by Brian Utterback of
1038	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1039
1040Other fixes:
1041
1042* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1043* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1044* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1045  - moved retry decision where it belongs. <perlinger@ntp.org>
1046* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1047  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1048* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1049* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1050  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1051* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1052  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1053  - added shim layer for SSL API calls with issues (both directions)
1054* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1055  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1056* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1057* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1058  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1059* [Bug 3067] Root distance calculation needs improvement.  HStenn
1060* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1061  - PPS-HACK works again.
1062* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1063  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1064* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1065* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1066  <perlinger@ntp.org>
1067  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1068* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1069  - Patch provided by Kuramatsu.
1070* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1071  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1072* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1073* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1074* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1075* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1076  - fixed GPS week expansion to work based on build date. Special thanks
1077    to Craig Leres for initial patch and testing.
1078* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1079  - fixed Makefile.am <perlinger@ntp.org>
1080* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1081             even if it is very old <perlinger@ntp.org>
1082  - make sure PPS source is alive before processing samples
1083  - improve stability close to the 500ms phase jump (phase gate)
1084* Fix typos in include/ntp.h.
1085* Shim X509_get_signature_nid() if needed
1086* git author attribution cleanup
1087* bk ignore file cleanup
1088* remove locks in Windows IO, use rpc-like thread synchronisation instead
1089
1090---
1091NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1092
1093Focus: Security, Bug fixes, enhancements.
1094
1095Severity: HIGH
1096
1097In addition to bug fixes and enhancements, this release fixes the
1098following 1 high- and 4 low-severity vulnerabilities:
1099
1100* CRYPTO_NAK crash
1101   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1102   References: Sec 3046 / CVE-2016-4957 / VU#321640
1103   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1104   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1105   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1106   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1107	could cause ntpd to crash.
1108   Mitigation:
1109        Implement BCP-38.
1110        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1111	    or the NTP Public Services Project Download Page
1112        If you cannot upgrade from 4.2.8p7, the only other alternatives
1113	    are to patch your code or filter CRYPTO_NAK packets.
1114        Properly monitor your ntpd instances, and auto-restart ntpd
1115	    (without -g) if it stops running.
1116   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1117
1118* Bad authentication demobilizes ephemeral associations
1119   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1120   References: Sec 3045 / CVE-2016-4953 / VU#321640
1121   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1122	ntp-4.3.0 up to, but not including ntp-4.3.93.
1123   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1124   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1125   Summary: An attacker who knows the origin timestamp and can send a
1126	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1127	target before any other response is sent can demobilize that
1128	association.
1129   Mitigation:
1130	Implement BCP-38.
1131	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1132	    or the NTP Public Services Project Download Page
1133	Properly monitor your ntpd instances.
1134	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1135
1136* Processing spoofed server packets
1137   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1138   References: Sec 3044 / CVE-2016-4954 / VU#321640
1139   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1140	ntp-4.3.0 up to, but not including ntp-4.3.93.
1141   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1142   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1143   Summary: An attacker who is able to spoof packets with correct origin
1144	timestamps from enough servers before the expected response
1145	packets arrive at the target machine can affect some peer
1146	variables and, for example, cause a false leap indication to be set.
1147   Mitigation:
1148	Implement BCP-38.
1149	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1150	    or the NTP Public Services Project Download Page
1151	Properly monitor your ntpd instances.
1152   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1153
1154* Autokey association reset
1155   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1156   References: Sec 3043 / CVE-2016-4955 / VU#321640
1157   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1158	ntp-4.3.0 up to, but not including ntp-4.3.93.
1159   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1160   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1161   Summary: An attacker who is able to spoof a packet with a correct
1162	origin timestamp before the expected response packet arrives at
1163	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1164	the association's peer variables to be cleared. If this can be
1165	done often enough, it will prevent that association from working.
1166   Mitigation:
1167	Implement BCP-38.
1168	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1169	    or the NTP Public Services Project Download Page
1170	Properly monitor your ntpd instances.
1171   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1172
1173* Broadcast interleave
1174   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1175   References: Sec 3042 / CVE-2016-4956 / VU#321640
1176   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1177   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1178   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1179   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1180   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1181   	so broadcast clients can be triggered to flip into interleave mode.
1182   Mitigation:
1183	Implement BCP-38.
1184	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1185	    or the NTP Public Services Project Download Page
1186	Properly monitor your ntpd instances.
1187   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1188
1189Other fixes:
1190* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1191  - provide build environment
1192  - 'wint_t' and 'struct timespec' defined by VS2015
1193  - fixed print()/scanf() format issues
1194* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1195* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1196* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1197  JPerlinger, HStenn.
1198* Fix typo in ntp-wait and plot_summary.  HStenn.
1199* Make sure we have an "author" file for git imports.  HStenn.
1200* Update the sntp problem tests for MacOS.  HStenn.
1201
1202---
1203NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1204
1205Focus: Security, Bug fixes, enhancements.
1206
1207Severity: MEDIUM
1208
1209When building NTP from source, there is a new configure option
1210available, --enable-dynamic-interleave.  More information on this below.
1211
1212Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1213versions of ntp.  These events have almost certainly happened in the
1214past, it's just that they were silently counted and not logged.  With
1215the increasing awareness around security, we feel it's better to clearly
1216log these events to help detect abusive behavior.  This increased
1217logging can also help detect other problems, too.
1218
1219In addition to bug fixes and enhancements, this release fixes the
1220following 9 low- and medium-severity vulnerabilities:
1221
1222* Improve NTP security against buffer comparison timing attacks,
1223  AKA: authdecrypt-timing
1224   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1225   References: Sec 2879 / CVE-2016-1550
1226   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1227	4.3.0 up to, but not including 4.3.92
1228   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1229   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1230   Summary: Packet authentication tests have been performed using
1231	memcmp() or possibly bcmp(), and it is potentially possible
1232	for a local or perhaps LAN-based attacker to send a packet with
1233	an authentication payload and indirectly observe how much of
1234	the digest has matched.
1235   Mitigation:
1236	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1237	    or the NTP Public Services Project Download Page.
1238	Properly monitor your ntpd instances.
1239   Credit: This weakness was discovered independently by Loganaden
1240   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1241
1242* Zero origin timestamp bypass: Additional KoD checks.
1243   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1244   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1245   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1246
1247* peer associations were broken by the fix for NtpBug2899
1248   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1249   References: Sec 2952 / CVE-2015-7704
1250   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1251   	4.3.0 up to, but not including 4.3.92
1252   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1253   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1254   	associations did not address all of the issues.
1255   Mitigation:
1256        Implement BCP-38.
1257        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1258	    or the NTP Public Services Project Download Page
1259        If you can't upgrade, use "server" associations instead of
1260	    "peer" associations.
1261        Monitor your ntpd instances.
1262   Credit: This problem was discovered by Michael Tatarinov.
1263
1264* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1265   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1266   References: Sec 3007 / CVE-2016-1547 / VU#718152
1267   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1268	4.3.0 up to, but not including 4.3.92
1269   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1270   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1271   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1272	off-path attacker can cause a preemptable client association to
1273	be demobilized by sending a crypto NAK packet to a victim client
1274	with a spoofed source address of an existing associated peer.
1275	This is true even if authentication is enabled.
1276
1277	Furthermore, if the attacker keeps sending crypto NAK packets,
1278	for example one every second, the victim never has a chance to
1279	reestablish the association and synchronize time with that
1280	legitimate server.
1281
1282	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1283	stringent checks are performed on incoming packets, but there
1284	are still ways to exploit this vulnerability in versions before
1285	ntp-4.2.8p7.
1286   Mitigation:
1287	Implement BCP-38.
1288	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1289	    or the NTP Public Services Project Download Page
1290	Properly monitor your ntpd instances
1291   Credit: This weakness was discovered by Stephen Gray and
1292   	Matthew Van Gundy of Cisco ASIG.
1293
1294* ctl_getitem() return value not always checked
1295   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1296   References: Sec 3008 / CVE-2016-2519
1297   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1298	4.3.0 up to, but not including 4.3.92
1299   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1300   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1301   Summary: ntpq and ntpdc can be used to store and retrieve information
1302   	in ntpd. It is possible to store a data value that is larger
1303	than the size of the buffer that the ctl_getitem() function of
1304	ntpd uses to report the return value. If the length of the
1305	requested data value returned by ctl_getitem() is too large,
1306	the value NULL is returned instead. There are 2 cases where the
1307	return value from ctl_getitem() was not directly checked to make
1308	sure it's not NULL, but there are subsequent INSIST() checks
1309	that make sure the return value is not NULL. There are no data
1310	values ordinarily stored in ntpd that would exceed this buffer
1311	length. But if one has permission to store values and one stores
1312	a value that is "too large", then ntpd will abort if an attempt
1313	is made to read that oversized value.
1314    Mitigation:
1315        Implement BCP-38.
1316        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1317	    or the NTP Public Services Project Download Page
1318        Properly monitor your ntpd instances.
1319    Credit: This weakness was discovered by Yihan Lian of the Cloud
1320    	Security Team, Qihoo 360.
1321
1322* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1323   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1324   References: Sec 3009 / CVE-2016-2518 / VU#718152
1325   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1326	4.3.0 up to, but not including 4.3.92
1327   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1328   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1329   Summary: Using a crafted packet to create a peer association with
1330   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1331	out-of-bounds reference.
1332   Mitigation:
1333	Implement BCP-38.
1334	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1335	    or the NTP Public Services Project Download Page
1336	Properly monitor your ntpd instances
1337   Credit: This weakness was discovered by Yihan Lian of the Cloud
1338   	Security Team, Qihoo 360.
1339
1340* remote configuration trustedkey/requestkey/controlkey values are not
1341	properly validated
1342   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1343   References: Sec 3010 / CVE-2016-2517 / VU#718152
1344   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1345	4.3.0 up to, but not including 4.3.92
1346   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1347   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1348   Summary: If ntpd was expressly configured to allow for remote
1349   	configuration, a malicious user who knows the controlkey for
1350	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1351	can create a session with ntpd and then send a crafted packet to
1352	ntpd that will change the value of the trustedkey, controlkey,
1353	or requestkey to a value that will prevent any subsequent
1354	authentication with ntpd until ntpd is restarted.
1355   Mitigation:
1356	Implement BCP-38.
1357	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1358	    or the NTP Public Services Project Download Page
1359	Properly monitor your ntpd instances
1360   Credit: This weakness was discovered by Yihan Lian of the Cloud
1361   	Security Team, Qihoo 360.
1362
1363* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1364   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1365   References: Sec 3011 / CVE-2016-2516 / VU#718152
1366   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1367   	4.3.0 up to, but not including 4.3.92
1368   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1369   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1370   Summary: If ntpd was expressly configured to allow for remote
1371   	configuration, a malicious user who knows the controlkey for
1372	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1373	can create a session with ntpd and if an existing association is
1374	unconfigured using the same IP twice on the unconfig directive
1375	line, ntpd will abort.
1376   Mitigation:
1377	Implement BCP-38.
1378	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1379	    or the NTP Public Services Project Download Page
1380	Properly monitor your ntpd instances
1381   Credit: This weakness was discovered by Yihan Lian of the Cloud
1382   	Security Team, Qihoo 360.
1383
1384* Refclock impersonation vulnerability
1385   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1386   References: Sec 3020 / CVE-2016-1551
1387   Affects: On a very limited number of OSes, all NTP releases up to but
1388	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1389	By "very limited number of OSes" we mean no general-purpose OSes
1390	have yet been identified that have this vulnerability.
1391   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1392   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1393   Summary: While most OSes implement martian packet filtering in their
1394   	network stack, at least regarding 127.0.0.0/8, some will allow
1395	packets claiming to be from 127.0.0.0/8 that arrive over a
1396	physical network. On these OSes, if ntpd is configured to use a
1397	reference clock an attacker can inject packets over the network
1398	that look like they are coming from that reference clock.
1399   Mitigation:
1400        Implement martian packet filtering and BCP-38.
1401        Configure ntpd to use an adequate number of time sources.
1402        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1403	    or the NTP Public Services Project Download Page
1404        If you are unable to upgrade and if you are running an OS that
1405	    has this vulnerability, implement martian packet filters and
1406	    lobby your OS vendor to fix this problem, or run your
1407	    refclocks on computers that use OSes that are not vulnerable
1408	    to these attacks and have your vulnerable machines get their
1409	    time from protected resources.
1410        Properly monitor your ntpd instances.
1411   Credit: This weakness was discovered by Matt Street and others of
1412   	Cisco ASIG.
1413
1414The following issues were fixed in earlier releases and contain
1415improvements in 4.2.8p7:
1416
1417* Clients that receive a KoD should validate the origin timestamp field.
1418   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1419   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1420   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1421
1422* Skeleton key: passive server with trusted key can serve time.
1423   References: Sec 2936 / CVE-2015-7974
1424   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1425   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1426
1427Two other vulnerabilities have been reported, and the mitigations
1428for these are as follows:
1429
1430* Interleave-pivot
1431   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1432   References: Sec 2978 / CVE-2016-1548
1433   Affects: All ntp-4 releases.
1434   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1435   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1436   Summary: It is possible to change the time of an ntpd client or deny
1437   	service to an ntpd client by forcing it to change from basic
1438	client/server mode to interleaved symmetric mode. An attacker
1439	can spoof a packet from a legitimate ntpd server with an origin
1440	timestamp that matches the peer->dst timestamp recorded for that
1441	server. After making this switch, the client will reject all
1442	future legitimate server responses. It is possible to force the
1443	victim client to move time after the mode has been changed.
1444	ntpq gives no indication that the mode has been switched.
1445   Mitigation:
1446        Implement BCP-38.
1447        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1448	    or the NTP Public Services Project Download Page.  These
1449	    versions will not dynamically "flip" into interleave mode
1450	    unless configured to do so.
1451        Properly monitor your ntpd instances.
1452   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1453   	and separately by Jonathan Gardner of Cisco ASIG.
1454
1455* Sybil vulnerability: ephemeral association attack
1456   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1457   References: Sec 3012 / CVE-2016-1549
1458   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1459   	4.3.0 up to, but not including 4.3.92
1460   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1461   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1462   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1463   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1464	field in the ntp.keys file to specify which IPs can serve time,
1465	a malicious authenticated peer can create arbitrarily-many
1466	ephemeral associations in order to win the clock selection of
1467	ntpd and modify a victim's clock.
1468   Mitigation:
1469        Implement BCP-38.
1470        Use the 4th field in the ntp.keys file to specify which IPs
1471	    can be time servers.
1472        Properly monitor your ntpd instances.
1473   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1474
1475Other fixes:
1476
1477* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1478  - fixed yet another race condition in the threaded resolver code.
1479* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1480* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1481  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1482    with some modifications & unit tests
1483* [Bug 2960] async name resolution fixes for chroot() environments.
1484  Reinhard Max.
1485* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1486* [Bug 2995] Fixes to compile on Windows
1487* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1488* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1489  - Patch provided by Ch. Weisgerber
1490* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1491  - A change related to [Bug 2853] forbids trailing white space in
1492    remote config commands. perlinger@ntp.org
1493* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1494  - report and patch from Aleksandr Kostikov.
1495  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1496* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1497  - fixed memory leak in access list (auth[read]keys.c)
1498  - refactored handling of key access lists (auth[read]keys.c)
1499  - reduced number of error branches (authreadkeys.c)
1500* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1501* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1502* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1503             when the time of server changed. perlinger@ntp.org
1504  - Check the initial delay calculation and reject/unpeer the broadcast
1505    server if the delay exceeds 50ms. Retry again after the next
1506    broadcast packet.
1507* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1508* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1509* Update html/xleave.html documentation.  Harlan Stenn.
1510* Update ntp.conf documentation.  Harlan Stenn.
1511* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1512* Fix typo in html/monopt.html.  Harlan Stenn.
1513* Add README.pullrequests.  Harlan Stenn.
1514* Cleanup to include/ntp.h.  Harlan Stenn.
1515
1516New option to 'configure':
1517
1518While looking in to the issues around Bug 2978, the "interleave pivot"
1519issue, it became clear that there are some intricate and unresolved
1520issues with interleave operations.  We also realized that the interleave
1521protocol was never added to the NTPv4 Standard, and it should have been.
1522
1523Interleave mode was first released in July of 2008, and can be engaged
1524in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1525contain the 'xleave' option, which will expressly enable interlave mode
1526for that association.  Additionally, if a time packet arrives and is
1527found inconsistent with normal protocol behavior but has certain
1528characteristics that are compatible with interleave mode, NTP will
1529dynamically switch to interleave mode.  With sufficient knowledge, an
1530attacker can send a crafted forged packet to an NTP instance that
1531triggers only one side to enter interleaved mode.
1532
1533To prevent this attack until we can thoroughly document, describe,
1534fix, and test the dynamic interleave mode, we've added a new
1535'configure' option to the build process:
1536
1537 --enable-dynamic-interleave
1538
1539This option controls whether or not NTP will, if conditions are right,
1540engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1541default in ntp-4.2.8p7.
1542
1543---
1544NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1545
1546Focus: Security, Bug fixes, enhancements.
1547
1548Severity: MEDIUM
1549
1550In addition to bug fixes and enhancements, this release fixes the
1551following 1 low- and 8 medium-severity vulnerabilities:
1552
1553* Potential Infinite Loop in 'ntpq'
1554   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1555   References: Sec 2548 / CVE-2015-8158
1556   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1557	4.3.0 up to, but not including 4.3.90
1558   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1559   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1560   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1561	The loop's only stopping conditions are receiving a complete and
1562	correct response or hitting a small number of error conditions.
1563	If the packet contains incorrect values that don't trigger one of
1564	the error conditions, the loop continues to receive new packets.
1565	Note well, this is an attack against an instance of 'ntpq', not
1566	'ntpd', and this attack requires the attacker to do one of the
1567	following:
1568	* Own a malicious NTP server that the client trusts
1569	* Prevent a legitimate NTP server from sending packets to
1570	    the 'ntpq' client
1571	* MITM the 'ntpq' communications between the 'ntpq' client
1572	    and the NTP server
1573   Mitigation:
1574	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1575	or the NTP Public Services Project Download Page
1576   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1577
1578* 0rigin: Zero Origin Timestamp Bypass
1579   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1580   References: Sec 2945 / CVE-2015-8138
1581   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1582	4.3.0 up to, but not including 4.3.90
1583   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1584   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1585	(3.7 - LOW if you score AC:L)
1586   Summary: To distinguish legitimate peer responses from forgeries, a
1587	client attempts to verify a response packet by ensuring that the
1588	origin timestamp in the packet matches the origin timestamp it
1589	transmitted in its last request.  A logic error exists that
1590	allows packets with an origin timestamp of zero to bypass this
1591	check whenever there is not an outstanding request to the server.
1592   Mitigation:
1593	Configure 'ntpd' to get time from multiple sources.
1594	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1595	    or the NTP Public Services Project Download Page.
1596	Monitor your 'ntpd' instances.
1597   Credit: This weakness was discovered by Matthey Van Gundy and
1598	Jonathan Gardner of Cisco ASIG.
1599
1600* Stack exhaustion in recursive traversal of restriction list
1601   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1602   References: Sec 2940 / CVE-2015-7978
1603   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1604	4.3.0 up to, but not including 4.3.90
1605   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1606   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1607   	segmentation fault in ntpd by exhausting the call stack.
1608   Mitigation:
1609	Implement BCP-38.
1610	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1611	    or the NTP Public Services Project Download Page.
1612	If you are unable to upgrade:
1613            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1614	    If you must enable mode 7:
1615		configure the use of a 'requestkey' to control who can
1616		    issue mode 7 requests.
1617		configure 'restrict noquery' to further limit mode 7
1618		    requests to trusted sources.
1619		Monitor your ntpd instances.
1620   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1621
1622* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1623   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1624   References: Sec 2942 / CVE-2015-7979
1625   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1626	4.3.0 up to, but not including 4.3.90
1627   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1628   Summary: An off-path attacker can send broadcast packets with bad
1629	authentication (wrong key, mismatched key, incorrect MAC, etc)
1630	to broadcast clients. It is observed that the broadcast client
1631	tears down the association with the broadcast server upon
1632	receiving just one bad packet.
1633   Mitigation:
1634	Implement BCP-38.
1635	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1636	or the NTP Public Services Project Download Page.
1637	Monitor your 'ntpd' instances.
1638	If this sort of attack is an active problem for you, you have
1639	    deeper problems to investigate.  In this case also consider
1640	    having smaller NTP broadcast domains.
1641   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1642   	University.
1643
1644* reslist NULL pointer dereference
1645   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1646   References: Sec 2939 / CVE-2015-7977
1647   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1648	4.3.0 up to, but not including 4.3.90
1649   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1650   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1651	segmentation fault in ntpd by causing a NULL pointer dereference.
1652   Mitigation:
1653	Implement BCP-38.
1654	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1655	the NTP Public Services Project Download Page.
1656	If you are unable to upgrade:
1657	    mode 7 is disabled by default.  Don't enable it.
1658	    If you must enable mode 7:
1659		configure the use of a 'requestkey' to control who can
1660		    issue mode 7 requests.
1661		configure 'restrict noquery' to further limit mode 7
1662		    requests to trusted sources.
1663	Monitor your ntpd instances.
1664   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1665
1666* 'ntpq saveconfig' command allows dangerous characters in filenames.
1667   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1668   References: Sec 2938 / CVE-2015-7976
1669   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1670	4.3.0 up to, but not including 4.3.90
1671   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1672   Summary: The ntpq saveconfig command does not do adequate filtering
1673   	of special characters from the supplied filename.
1674	Note well: The ability to use the saveconfig command is controlled
1675	by the 'restrict nomodify' directive, and the recommended default
1676	configuration is to disable this capability.  If the ability to
1677	execute a 'saveconfig' is required, it can easily (and should) be
1678	limited and restricted to a known small number of IP addresses.
1679   Mitigation:
1680	Implement BCP-38.
1681	use 'restrict default nomodify' in your 'ntp.conf' file.
1682	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1683	If you are unable to upgrade:
1684	    build NTP with 'configure --disable-saveconfig' if you will
1685	    	never need this capability, or
1686	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
1687		careful about what IPs have the ability to send 'modify'
1688		requests to 'ntpd'.
1689	Monitor your ntpd instances.
1690	'saveconfig' requests are logged to syslog - monitor your syslog files.
1691   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1692
1693* nextvar() missing length check in ntpq
1694   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1695   References: Sec 2937 / CVE-2015-7975
1696   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1697	4.3.0 up to, but not including 4.3.90
1698   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1699	If you score A:C, this becomes 4.0.
1700   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1701   Summary: ntpq may call nextvar() which executes a memcpy() into the
1702	name buffer without a proper length check against its maximum
1703	length of 256 bytes. Note well that we're taking about ntpq here.
1704	The usual worst-case effect of this vulnerability is that the
1705	specific instance of ntpq will crash and the person or process
1706	that did this will have stopped themselves.
1707   Mitigation:
1708	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1709	    or the NTP Public Services Project Download Page.
1710	If you are unable to upgrade:
1711	    If you have scripts that feed input to ntpq make sure there are
1712		some sanity checks on the input received from the "outside".
1713	    This is potentially more dangerous if ntpq is run as root.
1714   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1715
1716* Skeleton Key: Any trusted key system can serve time
1717   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1718   References: Sec 2936 / CVE-2015-7974
1719   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1720	4.3.0 up to, but not including 4.3.90
1721   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1722   Summary: Symmetric key encryption uses a shared trusted key. The
1723	reported title for this issue was "Missing key check allows
1724	impersonation between authenticated peers" and the report claimed
1725	"A key specified only for one server should only work to
1726	authenticate that server, other trusted keys should be refused."
1727	Except there has never been any correlation between this trusted
1728	key and server v. clients machines and there has never been any
1729	way to specify a key only for one server. We have treated this as
1730	an enhancement request, and ntp-4.2.8p6 includes other checks and
1731	tests to strengthen clients against attacks coming from broadcast
1732	servers.
1733   Mitigation:
1734	Implement BCP-38.
1735	If this scenario represents a real or a potential issue for you,
1736	    upgrade to 4.2.8p6, or later, from the NTP Project Download
1737	    Page or the NTP Public Services Project Download Page, and
1738	    use the new field in the ntp.keys file that specifies the list
1739	    of IPs that are allowed to serve time. Note that this alone
1740	    will not protect against time packets with forged source IP
1741	    addresses, however other changes in ntp-4.2.8p6 provide
1742	    significant mitigation against broadcast attacks. MITM attacks
1743	    are a different story.
1744	If you are unable to upgrade:
1745	    Don't use broadcast mode if you cannot monitor your client
1746	    	servers.
1747	    If you choose to use symmetric keys to authenticate time
1748	    	packets in a hostile environment where ephemeral time
1749		servers can be created, or if it is expected that malicious
1750		time servers will participate in an NTP broadcast domain,
1751		limit the number of participating systems that participate
1752		in the shared-key group.
1753	Monitor your ntpd instances.
1754   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
1755
1756* Deja Vu: Replay attack on authenticated broadcast mode
1757   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1758   References: Sec 2935 / CVE-2015-7973
1759   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1760   	4.3.0 up to, but not including 4.3.90
1761   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
1762   Summary: If an NTP network is configured for broadcast operations then
1763   	either a man-in-the-middle attacker or a malicious participant
1764	that has the same trusted keys as the victim can replay time packets.
1765   Mitigation:
1766	Implement BCP-38.
1767	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1768	    or the NTP Public Services Project Download Page.
1769	If you are unable to upgrade:
1770	    Don't use broadcast mode if you cannot monitor your client servers.
1771	Monitor your ntpd instances.
1772   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1773	University.
1774
1775Other fixes:
1776
1777* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
1778* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
1779  - applied patch by shenpeng11@huawei.com with minor adjustments
1780* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
1781* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1782* [Bug 2892] Several test cases assume IPv6 capabilities even when
1783             IPv6 is disabled in the build. perlinger@ntp.org
1784  - Found this already fixed, but validation led to cleanup actions.
1785* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1786  - added limits to stack consumption, fixed some return code handling
1787* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1788  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1789  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1790* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1791  - integrated several patches from Havard Eidnes (he@uninett.no)
1792* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1793  - implement 'auth_log2()' using integer bithack instead of float calculation
1794* Make leapsec_query debug messages less verbose.  Harlan Stenn.
1795
1796---
1797NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1798
1799Focus: Security, Bug fixes, enhancements.
1800
1801Severity: MEDIUM
1802
1803In addition to bug fixes and enhancements, this release fixes the
1804following medium-severity vulnerability:
1805
1806* Small-step/big-step.  Close the panic gate earlier.
1807    References: Sec 2956, CVE-2015-5300
1808    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1809	4.3.0 up to, but not including 4.3.78
1810    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1811    Summary: If ntpd is always started with the -g option, which is
1812	common and against long-standing recommendation, and if at the
1813	moment ntpd is restarted an attacker can immediately respond to
1814	enough requests from enough sources trusted by the target, which
1815	is difficult and not common, there is a window of opportunity
1816	where the attacker can cause ntpd to set the time to an
1817	arbitrary value. Similarly, if an attacker is able to respond
1818	to enough requests from enough sources trusted by the target,
1819	the attacker can cause ntpd to abort and restart, at which
1820	point it can tell the target to set the time to an arbitrary
1821	value if and only if ntpd was re-started against long-standing
1822	recommendation with the -g flag, or if ntpd was not given the
1823	-g flag, the attacker can move the target system's time by at
1824	most 900 seconds' time per attack.
1825    Mitigation:
1826	Configure ntpd to get time from multiple sources.
1827	Upgrade to 4.2.8p5, or later, from the NTP Project Download
1828	    Page or the NTP Public Services Project Download Page
1829	As we've long documented, only use the -g option to ntpd in
1830	    cold-start situations.
1831	Monitor your ntpd instances.
1832    Credit: This weakness was discovered by Aanchal Malhotra,
1833	Isaac E. Cohen, and Sharon Goldberg at Boston University.
1834
1835    NOTE WELL: The -g flag disables the limit check on the panic_gate
1836	in ntpd, which is 900 seconds by default. The bug identified by
1837	the researchers at Boston University is that the panic_gate
1838	check was only re-enabled after the first change to the system
1839	clock that was greater than 128 milliseconds, by default. The
1840	correct behavior is that the panic_gate check should be
1841	re-enabled after any initial time correction.
1842
1843	If an attacker is able to inject consistent but erroneous time
1844	responses to your systems via the network or "over the air",
1845	perhaps by spoofing radio, cellphone, or navigation satellite
1846	transmissions, they are in a great position to affect your
1847	system's clock. There comes a point where your very best
1848	defenses include:
1849
1850	    Configure ntpd to get time from multiple sources.
1851	    Monitor your ntpd instances.
1852
1853Other fixes:
1854
1855* Coverity submission process updated from Coverity 5 to Coverity 7.
1856  The NTP codebase has been undergoing regular Coverity scans on an
1857  ongoing basis since 2006.  As part of our recent upgrade from
1858  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1859  the newly-written Unity test programs.  These were fixed.
1860* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
1861* [Bug 2887] stratum -1 config results as showing value 99
1862  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1863* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
1864* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
1865* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1866  - applied patch by Christos Zoulas.  perlinger@ntp.org
1867* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1868* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1869  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1870  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1871* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1872  - accept key file only if there are no parsing errors
1873  - fixed size_t/u_int format clash
1874  - fixed wrong use of 'strlcpy'
1875* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1876* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1877  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1878  - promote use of 'size_t' for values that express a size
1879  - use ptr-to-const for read-only arguments
1880  - make sure SOCKET values are not truncated (win32-specific)
1881  - format string fixes
1882* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
1883* [Bug 2967] ntpdate command suffers an assertion failure
1884  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1885* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
1886              lots of clients. perlinger@ntp.org
1887* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1888  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1889* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
1890* Unity test cleanup.  Harlan Stenn.
1891* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
1892* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
1893* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
1894* Quiet a warning from clang.  Harlan Stenn.
1895
1896---
1897NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1898
1899Focus: Security, Bug fixes, enhancements.
1900
1901Severity: MEDIUM
1902
1903In addition to bug fixes and enhancements, this release fixes the
1904following 13 low- and medium-severity vulnerabilities:
1905
1906* Incomplete vallen (value length) checks in ntp_crypto.c, leading
1907  to potential crashes or potential code injection/information leakage.
1908
1909    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1910    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1911    	and 4.3.0 up to, but not including 4.3.77
1912    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1913    Summary: The fix for CVE-2014-9750 was incomplete in that there were
1914    	certain code paths where a packet with particular autokey operations
1915	that contained malicious data was not always being completely
1916	validated. Receipt of these packets can cause ntpd to crash.
1917    Mitigation:
1918        Don't use autokey.
1919	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1920	    Page or the NTP Public Services Project Download Page
1921	Monitor your ntpd instances.
1922	Credit: This weakness was discovered by Tenable Network Security.
1923
1924* Clients that receive a KoD should validate the origin timestamp field.
1925
1926    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1927    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1928	and 4.3.0 up to, but not including 4.3.77
1929    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
1930    Summary: An ntpd client that honors Kiss-of-Death responses will honor
1931    	KoD messages that have been forged by an attacker, causing it to
1932	delay or stop querying its servers for time updates. Also, an
1933	attacker can forge packets that claim to be from the target and
1934	send them to servers often enough that a server that implements
1935	KoD rate limiting will send the target machine a KoD response to
1936	attempt to reduce the rate of incoming packets, or it may also
1937	trigger a firewall block at the server for packets from the target
1938	machine. For either of these attacks to succeed, the attacker must
1939	know what servers the target is communicating with. An attacker
1940	can be anywhere on the Internet and can frequently learn the
1941	identity of the target's time source by sending the target a
1942	time query.
1943    Mitigation:
1944        Implement BCP-38.
1945	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
1946	    or the NTP Public Services Project Download Page
1947	If you can't upgrade, restrict who can query ntpd to learn who
1948	    its servers are, and what IPs are allowed to ask your system
1949	    for the time. This mitigation is heavy-handed.
1950	Monitor your ntpd instances.
1951    Note:
1952    	4.2.8p4 protects against the first attack. For the second attack,
1953    	all we can do is warn when it is happening, which we do in 4.2.8p4.
1954    Credit: This weakness was discovered by Aanchal Malhotra,
1955    	Issac E. Cohen, and Sharon Goldberg of Boston University.
1956
1957* configuration directives to change "pidfile" and "driftfile" should
1958  only be allowed locally.
1959
1960  References: Sec 2902 / CVE-2015-5196
1961  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1962	and 4.3.0 up to, but not including 4.3.77
1963   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
1964   Summary: If ntpd is configured to allow for remote configuration,
1965	and if the (possibly spoofed) source IP address is allowed to
1966	send remote configuration requests, and if the attacker knows
1967	the remote configuration password, it's possible for an attacker
1968	to use the "pidfile" or "driftfile" directives to potentially
1969	overwrite other files.
1970   Mitigation:
1971	Implement BCP-38.
1972	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1973	    Page or the NTP Public Services Project Download Page
1974	If you cannot upgrade, don't enable remote configuration.
1975	If you must enable remote configuration and cannot upgrade,
1976	    remote configuration of NTF's ntpd requires:
1977	    - an explicitly configured trustedkey, and you should also
1978	    	configure a controlkey.
1979	    - access from a permitted IP. You choose the IPs.
1980	    - authentication. Don't disable it. Practice secure key safety.
1981	Monitor your ntpd instances.
1982   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1983
1984* Slow memory leak in CRYPTO_ASSOC
1985
1986  References: Sec 2909 / CVE-2015-7701
1987  Affects: All ntp-4 releases that use autokey up to, but not
1988    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1989  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
1990  	4.6 otherwise
1991  Summary: If ntpd is configured to use autokey, then an attacker can
1992	send packets to ntpd that will, after several days of ongoing
1993	attack, cause it to run out of memory.
1994  Mitigation:
1995	Don't use autokey.
1996	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1997	    Page or the NTP Public Services Project Download Page
1998	Monitor your ntpd instances.
1999  Credit: This weakness was discovered by Tenable Network Security.
2000
2001* mode 7 loop counter underrun
2002
2003  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2004  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2005  	and 4.3.0 up to, but not including 4.3.77
2006  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2007  Summary: If ntpd is configured to enable mode 7 packets, and if the
2008	use of mode 7 packets is not properly protected thru the use of
2009	the available mode 7 authentication and restriction mechanisms,
2010	and if the (possibly spoofed) source IP address is allowed to
2011	send mode 7 queries, then an attacker can send a crafted packet
2012	to ntpd that will cause it to crash.
2013  Mitigation:
2014	Implement BCP-38.
2015	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2016	    Page or the NTP Public Services Project Download Page.
2017	      If you are unable to upgrade:
2018	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2019	If you must enable mode 7:
2020	    configure the use of a requestkey to control who can issue
2021		mode 7 requests.
2022	    configure restrict noquery to further limit mode 7 requests
2023		to trusted sources.
2024	Monitor your ntpd instances.
2025Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2026
2027* memory corruption in password store
2028
2029  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2030  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2031  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2032  Summary: If ntpd is configured to allow remote configuration, and if
2033	the (possibly spoofed) source IP address is allowed to send
2034	remote configuration requests, and if the attacker knows the
2035	remote configuration password or if ntpd was configured to
2036	disable authentication, then an attacker can send a set of
2037	packets to ntpd that may cause a crash or theoretically
2038	perform a code injection attack.
2039  Mitigation:
2040	Implement BCP-38.
2041	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2042	    Page or the NTP Public Services Project Download Page.
2043	If you are unable to upgrade, remote configuration of NTF's
2044	    ntpd requires:
2045		an explicitly configured "trusted" key. Only configure
2046			this if you need it.
2047		access from a permitted IP address. You choose the IPs.
2048		authentication. Don't disable it. Practice secure key safety.
2049	Monitor your ntpd instances.
2050  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2051
2052* Infinite loop if extended logging enabled and the logfile and
2053  keyfile are the same.
2054
2055    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2056    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2057	and 4.3.0 up to, but not including 4.3.77
2058    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2059    Summary: If ntpd is configured to allow remote configuration, and if
2060	the (possibly spoofed) source IP address is allowed to send
2061	remote configuration requests, and if the attacker knows the
2062	remote configuration password or if ntpd was configured to
2063	disable authentication, then an attacker can send a set of
2064	packets to ntpd that will cause it to crash and/or create a
2065	potentially huge log file. Specifically, the attacker could
2066	enable extended logging, point the key file at the log file,
2067	and cause what amounts to an infinite loop.
2068    Mitigation:
2069	Implement BCP-38.
2070	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2071	    Page or the NTP Public Services Project Download Page.
2072	If you are unable to upgrade, remote configuration of NTF's ntpd
2073	  requires:
2074            an explicitly configured "trusted" key. Only configure this
2075	    	if you need it.
2076            access from a permitted IP address. You choose the IPs.
2077            authentication. Don't disable it. Practice secure key safety.
2078        Monitor your ntpd instances.
2079    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2080
2081* Potential path traversal vulnerability in the config file saving of
2082  ntpd on VMS.
2083
2084  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2085  Affects: All ntp-4 releases running under VMS up to, but not
2086	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2087  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2088  Summary: If ntpd is configured to allow remote configuration, and if
2089	the (possibly spoofed) IP address is allowed to send remote
2090	configuration requests, and if the attacker knows the remote
2091	configuration password or if ntpd was configured to disable
2092	authentication, then an attacker can send a set of packets to
2093	ntpd that may cause ntpd to overwrite files.
2094  Mitigation:
2095	Implement BCP-38.
2096	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2097	    Page or the NTP Public Services Project Download Page.
2098	If you are unable to upgrade, remote configuration of NTF's ntpd
2099	    requires:
2100		an explicitly configured "trusted" key. Only configure
2101			this if you need it.
2102		access from permitted IP addresses. You choose the IPs.
2103		authentication. Don't disable it. Practice key security safety.
2104        Monitor your ntpd instances.
2105    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2106
2107* ntpq atoascii() potential memory corruption
2108
2109  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2110  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2111	and 4.3.0 up to, but not including 4.3.77
2112  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2113  Summary: If an attacker can figure out the precise moment that ntpq
2114	is listening for data and the port number it is listening on or
2115	if the attacker can provide a malicious instance ntpd that
2116	victims will connect to then an attacker can send a set of
2117	crafted mode 6 response packets that, if received by ntpq,
2118	can cause ntpq to crash.
2119  Mitigation:
2120	Implement BCP-38.
2121	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2122	    Page or the NTP Public Services Project Download Page.
2123	If you are unable to upgrade and you run ntpq against a server
2124	    and ntpq crashes, try again using raw mode. Build or get a
2125	    patched ntpq and see if that fixes the problem. Report new
2126	    bugs in ntpq or abusive servers appropriately.
2127	If you use ntpq in scripts, make sure ntpq does what you expect
2128	    in your scripts.
2129  Credit: This weakness was discovered by Yves Younan and
2130  	Aleksander Nikolich of Cisco Talos.
2131
2132* Invalid length data provided by a custom refclock driver could cause
2133  a buffer overflow.
2134
2135  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2136  Affects: Potentially all ntp-4 releases running up to, but not
2137	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2138	that have custom refclocks
2139  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2140	5.9 unusual worst case
2141  Summary: A negative value for the datalen parameter will overflow a
2142	data buffer. NTF's ntpd driver implementations always set this
2143	value to 0 and are therefore not vulnerable to this weakness.
2144	If you are running a custom refclock driver in ntpd and that
2145	driver supplies a negative value for datalen (no custom driver
2146	of even minimal competence would do this) then ntpd would
2147	overflow a data buffer. It is even hypothetically possible
2148	in this case that instead of simply crashing ntpd the attacker
2149	could effect a code injection attack.
2150  Mitigation:
2151	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2152	    Page or the NTP Public Services Project Download Page.
2153	If you are unable to upgrade:
2154		If you are running custom refclock drivers, make sure
2155			the signed datalen value is either zero or positive.
2156	Monitor your ntpd instances.
2157  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2158
2159* Password Length Memory Corruption Vulnerability
2160
2161  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2162  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2163  	4.3.0 up to, but not including 4.3.77
2164  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2165  	1.7 usual case, 6.8, worst case
2166  Summary: If ntpd is configured to allow remote configuration, and if
2167	the (possibly spoofed) source IP address is allowed to send
2168	remote configuration requests, and if the attacker knows the
2169	remote configuration password or if ntpd was (foolishly)
2170	configured to disable authentication, then an attacker can
2171	send a set of packets to ntpd that may cause it to crash,
2172	with the hypothetical possibility of a small code injection.
2173  Mitigation:
2174	Implement BCP-38.
2175	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2176	    Page or the NTP Public Services Project Download Page.
2177	If you are unable to upgrade, remote configuration of NTF's
2178	    ntpd requires:
2179		an explicitly configured "trusted" key. Only configure
2180			this if you need it.
2181		access from a permitted IP address. You choose the IPs.
2182		authentication. Don't disable it. Practice secure key safety.
2183	Monitor your ntpd instances.
2184  Credit: This weakness was discovered by Yves Younan and
2185  	Aleksander Nikolich of Cisco Talos.
2186
2187* decodenetnum() will ASSERT botch instead of returning FAIL on some
2188  bogus values.
2189
2190  References: Sec 2922 / CVE-2015-7855
2191  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2192	4.3.0 up to, but not including 4.3.77
2193  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2194  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2195	an unusually long data value where a network address is expected,
2196	the decodenetnum() function will abort with an assertion failure
2197	instead of simply returning a failure condition.
2198  Mitigation:
2199	Implement BCP-38.
2200	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2201	    Page or the NTP Public Services Project Download Page.
2202	If you are unable to upgrade:
2203		mode 7 is disabled by default. Don't enable it.
2204		Use restrict noquery to limit who can send mode 6
2205			and mode 7 requests.
2206		Configure and use the controlkey and requestkey
2207			authentication directives to limit who can
2208			send mode 6 and mode 7 requests.
2209	Monitor your ntpd instances.
2210  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2211
2212* NAK to the Future: Symmetric association authentication bypass via
2213  crypto-NAK.
2214
2215  References: Sec 2941 / CVE-2015-7871
2216  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2217  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2218  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2219  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2220	from unauthenticated ephemeral symmetric peers by bypassing the
2221	authentication required to mobilize peer associations. This
2222	vulnerability appears to have been introduced in ntp-4.2.5p186
2223	when the code handling mobilization of new passive symmetric
2224	associations (lines 1103-1165) was refactored.
2225  Mitigation:
2226	Implement BCP-38.
2227	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2228	    Page or the NTP Public Services Project Download Page.
2229	If you are unable to upgrade:
2230		Apply the patch to the bottom of the "authentic" check
2231			block around line 1136 of ntp_proto.c.
2232	Monitor your ntpd instances.
2233  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2234
2235Backward-Incompatible changes:
2236* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2237  While the general default of 32M is still the case, under Linux
2238  the default value has been changed to -1 (do not lock ntpd into
2239  memory).  A value of 0 means "lock ntpd into memory with whatever
2240  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2241  value in it, that value will continue to be used.
2242
2243* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2244  If you've written a script that looks for this case in, say, the
2245  output of ntpq, you probably want to change your regex matches
2246  from 'outlyer' to 'outl[iy]er'.
2247
2248New features in this release:
2249* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2250  "don't lock ntpd into memore".  This is the default for Linux boxes.
2251  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2252  the value is the number of megabytes of memory to lock.  The default
2253  is 32 megabytes.
2254
2255* The old Google Test framework has been replaced with a new framework,
2256  based on http://www.throwtheswitch.org/unity/ .
2257
2258Bug Fixes and Improvements:
2259* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2260  privileges and limiting resources in NTPD removes the need to link
2261  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2262* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2263* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2264* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2265* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2266* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2267* [Bug 2849] Systems with more than one default route may never
2268  synchronize.  Brian Utterback.  Note that this patch might need to
2269  be reverted once Bug 2043 has been fixed.
2270* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2271* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2272* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2273* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2274* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2275* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2276  be configured for the distribution targets.  Harlan Stenn.
2277* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2278* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2279* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2280* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2281* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2282* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2283* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2284* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2285* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2286* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2287* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2288* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2289* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2290* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2291* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2292* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2293* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2294* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2295* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2296* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2297* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2298* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2299  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2300  formatting; first declaration, then code (C90); deleted unnecessary comments;
2301  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2302* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2303  fix formatting, cleanup. Tomasz Flendrich
2304* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2305  Tomasz Flendrich
2306* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2307  fix formatting. Tomasz Flendrich
2308* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2309* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2310* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2311  Tomasz Flendrich
2312* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2313* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2314* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2315* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2316* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2317* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2318* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2319fixed formatting. Tomasz Flendrich
2320* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2321  removed unnecessary comments, cleanup. Tomasz Flendrich
2322* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2323  comments, cleanup. Tomasz Flendrich
2324* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2325  Tomasz Flendrich
2326* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2327* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2328* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2329  Tomasz Flendrich
2330* sntp/tests/kodDatabase.c added consts, deleted empty function,
2331  fixed formatting. Tomasz Flendrich
2332* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2333* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2334  fixed formatting, deleted unused variable. Tomasz Flendrich
2335* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2336  Tomasz Flendrich
2337* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2338  fixed formatting. Tomasz Flendrich
2339* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2340  the order of includes, fixed formatting, removed unnecessary comments.
2341  Tomasz Flendrich
2342* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2343* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2344  made one function do its job, deleted unnecessary prints, fixed formatting.
2345  Tomasz Flendrich
2346* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2347* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2348* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2349* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2350* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2351* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2352* Don't build sntp/libevent/sample/.  Harlan Stenn.
2353* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2354* br-flock: --enable-local-libevent.  Harlan Stenn.
2355* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2356* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2357* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2358* Code cleanup.  Harlan Stenn.
2359* libntp/icom.c: Typo fix.  Harlan Stenn.
2360* util/ntptime.c: initialization nit.  Harlan Stenn.
2361* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2362* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2363* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2364  Tomasz Flendrich
2365* Changed progname to be const in many files - now it's consistent. Tomasz
2366  Flendrich
2367* Typo fix for GCC warning suppression.  Harlan Stenn.
2368* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2369* Added declarations to all Unity tests, and did minor fixes to them.
2370  Reduced the number of warnings by half. Damir Tomić.
2371* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2372  with the latest Unity updates from Mark. Damir Tomić.
2373* Retire google test - phase I.  Harlan Stenn.
2374* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2375* Update the NEWS file.  Harlan Stenn.
2376* Autoconf cleanup.  Harlan Stenn.
2377* Unit test dist cleanup. Harlan Stenn.
2378* Cleanup various test Makefile.am files.  Harlan Stenn.
2379* Pthread autoconf macro cleanup.  Harlan Stenn.
2380* Fix progname definition in unity runner scripts.  Harlan Stenn.
2381* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2382* Update the patch for bug 2817.  Harlan Stenn.
2383* More updates for bug 2817.  Harlan Stenn.
2384* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2385* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2386* Adding missing MCAST protection.  Harlan Stenn.
2387* Disable certain test programs on certain platforms.  Harlan Stenn.
2388* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2389* build system tweaks.  Harlan Stenn.
2390
2391---
2392NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2393
2394Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2395
2396Severity: MEDIUM
2397
2398Security Fix:
2399
2400* [Sec 2853] Crafted remote config packet can crash some versions of
2401  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2402
2403Under specific circumstances an attacker can send a crafted packet to
2404cause a vulnerable ntpd instance to crash. This requires each of the
2405following to be true:
2406
24071) ntpd set up to allow remote configuration (not allowed by default), and
24082) knowledge of the configuration password, and
24093) access to a computer entrusted to perform remote configuration.
2410
2411This vulnerability is considered low-risk.
2412
2413New features in this release:
2414
2415Optional (disabled by default) support to have ntpd provide smeared
2416leap second time.  A specially built and configured ntpd will only
2417offer smeared time in response to client packets.  These response
2418packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2419of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2420format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2421information.
2422
2423   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2424   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2425
2426We've imported the Unity test framework, and have begun converting
2427the existing google-test items to this new framework.  If you want
2428to write new tests or change old ones, you'll need to have ruby
2429installed.  You don't need ruby to run the test suite.
2430
2431Bug Fixes and Improvements:
2432
2433* CID 739725: Fix a rare resource leak in libevent/listener.c.
2434* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2435* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2436* CID 1269537: Clean up a line of dead code in getShmTime().
2437* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2438* [Bug 2590] autogen-5.18.5.
2439* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2440  of 'limited'.
2441* [Bug 2650] fix includefile processing.
2442* [Bug 2745] ntpd -x steps clock on leap second
2443   Fixed an initial-value problem that caused misbehaviour in absence of
2444   any leapsecond information.
2445   Do leap second stepping only of the step adjustment is beyond the
2446   proper jump distance limit and step correction is allowed at all.
2447* [Bug 2750] build for Win64
2448  Building for 32bit of loopback ppsapi needs def file
2449* [Bug 2776] Improve ntpq's 'help keytype'.
2450* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2451* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2452* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2453  interface is ignored as long as this flag is not set since the
2454  interface is not usable (e.g., no link).
2455* [Bug 2794] Clean up kernel clock status reports.
2456* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2457  of incompatible open/fdopen parameters.
2458* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2459* [Bug 2805] ntpd fails to join multicast group.
2460* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2461* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2462  Fix crash during cleanup if GPS device not present and char device.
2463  Increase internal token buffer to parse all JSON data, even SKY.
2464  Defer logging of errors during driver init until the first unit is
2465  started, so the syslog is not cluttered when the driver is not used.
2466  Various improvements, see http://bugs.ntp.org/2808 for details.
2467  Changed libjsmn to a more recent version.
2468* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2469* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2470* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2471* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2472* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2473* [Bug 2824] Convert update-leap to perl. (also see 2769)
2474* [Bug 2825] Quiet file installation in html/ .
2475* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2476   NTPD transfers the current TAI (instead of an announcement) now.
2477   This might still needed improvement.
2478   Update autokey data ASAP when 'sys_tai' changes.
2479   Fix unit test that was broken by changes for autokey update.
2480   Avoid potential signature length issue and use DPRINTF where possible
2481     in ntp_crypto.c.
2482* [Bug 2832] refclock_jjy.c supports the TDC-300.
2483* [Bug 2834] Correct a broken html tag in html/refclock.html
2484* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2485  robust, and require 2 consecutive timestamps to be consistent.
2486* [Bug 2837] Allow a configurable DSCP value.
2487* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2488* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2489* [Bug 2842] Bug in mdoc2man.
2490* [Bug 2843] make check fails on 4.3.36
2491   Fixed compiler warnings about numeric range overflow
2492   (The original topic was fixed in a byplay to bug#2830)
2493* [Bug 2845] Harden memory allocation in ntpd.
2494* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2495* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2496* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2497* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2498* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2499* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2500* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2501* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2502* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2503* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2504* refidsmear test cleanup.  Tomasz Flendrich.
2505* refidsmear function support and tests.  Harlan Stenn.
2506* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2507  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2508* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2509  Damir Tomić
2510* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2511  Damir Tomić
2512* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2513  Damir Tomić
2514* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2515* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2516* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2517  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2518  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2519  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2520  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2521  Damir Tomić
2522* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2523  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2524  fileHandlingTest.h. Damir Tomić
2525* Initial support for experimental leap smear code.  Harlan Stenn.
2526* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2527* Report select() debug messages at debug level 3 now.
2528* sntp/scripts/genLocInfo: treat raspbian as debian.
2529* Unity test framework fixes.
2530  ** Requires ruby for changes to tests.
2531* Initial support for PACKAGE_VERSION tests.
2532* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2533* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2534* Add an assert to the ntpq ifstats code.
2535* Clean up the RLIMIT_STACK code.
2536* Improve the ntpq documentation around the controlkey keyid.
2537* ntpq.c cleanup.
2538* Windows port build cleanup.
2539
2540---
2541NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2542
2543Focus: Security and Bug fixes, enhancements.
2544
2545Severity: MEDIUM
2546
2547In addition to bug fixes and enhancements, this release fixes the
2548following medium-severity vulnerabilities involving private key
2549authentication:
2550
2551* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2552
2553    References: Sec 2779 / CVE-2015-1798 / VU#374268
2554    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2555	including ntp-4.2.8p2 where the installation uses symmetric keys
2556	to authenticate remote associations.
2557    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2558    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2559    Summary: When ntpd is configured to use a symmetric key to authenticate
2560	a remote NTP server/peer, it checks if the NTP message
2561	authentication code (MAC) in received packets is valid, but not if
2562	there actually is any MAC included. Packets without a MAC are
2563	accepted as if they had a valid MAC. This allows a MITM attacker to
2564	send false packets that are accepted by the client/peer without
2565	having to know the symmetric key. The attacker needs to know the
2566	transmit timestamp of the client to match it in the forged reply
2567	and the false reply needs to reach the client before the genuine
2568	reply from the server. The attacker doesn't necessarily need to be
2569	relaying the packets between the client and the server.
2570
2571	Authentication using autokey doesn't have this problem as there is
2572	a check that requires the key ID to be larger than NTP_MAXKEY,
2573	which fails for packets without a MAC.
2574    Mitigation:
2575        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2576	or the NTP Public Services Project Download Page
2577        Configure ntpd with enough time sources and monitor it properly.
2578    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2579
2580* [Sec 2781] Authentication doesn't protect symmetric associations against
2581  DoS attacks.
2582
2583    References: Sec 2781 / CVE-2015-1799 / VU#374268
2584    Affects: All NTP releases starting with at least xntp3.3wy up to but
2585	not including ntp-4.2.8p2 where the installation uses symmetric
2586	key authentication.
2587    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2588    Note: the CVSS base Score for this issue could be 4.3 or lower, and
2589	it could be higher than 5.4.
2590    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2591    Summary: An attacker knowing that NTP hosts A and B are peering with
2592	each other (symmetric association) can send a packet to host A
2593	with source address of B which will set the NTP state variables
2594	on A to the values sent by the attacker. Host A will then send
2595	on its next poll to B a packet with originate timestamp that
2596	doesn't match the transmit timestamp of B and the packet will
2597	be dropped. If the attacker does this periodically for both
2598	hosts, they won't be able to synchronize to each other. This is
2599	a known denial-of-service attack, described at
2600	https://www.eecis.udel.edu/~mills/onwire.html .
2601
2602	According to the document the NTP authentication is supposed to
2603	protect symmetric associations against this attack, but that
2604	doesn't seem to be the case. The state variables are updated even
2605	when authentication fails and the peers are sending packets with
2606	originate timestamps that don't match the transmit timestamps on
2607	the receiving side.
2608
2609	This seems to be a very old problem, dating back to at least
2610	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2611	specifications, so other NTP implementations with support for
2612	symmetric associations and authentication may be vulnerable too.
2613	An update to the NTP RFC to correct this error is in-process.
2614    Mitigation:
2615        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2616	or the NTP Public Services Project Download Page
2617        Note that for users of autokey, this specific style of MITM attack
2618	is simply a long-known potential problem.
2619        Configure ntpd with appropriate time sources and monitor ntpd.
2620	Alert your staff if problems are detected.
2621    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2622
2623* New script: update-leap
2624The update-leap script will verify and if necessary, update the
2625leap-second definition file.
2626It requires the following commands in order to work:
2627
2628	wget logger tr sed shasum
2629
2630Some may choose to run this from cron.  It needs more portability testing.
2631
2632Bug Fixes and Improvements:
2633
2634* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2635* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2636* [Bug 2346] "graceful termination" signals do not do peer cleanup.
2637* [Bug 2728] See if C99-style structure initialization works.
2638* [Bug 2747] Upgrade libevent to 2.1.5-beta.
2639* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2640* [Bug 2751] jitter.h has stale copies of l_fp macros.
2641* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2642* [Bug 2757] Quiet compiler warnings.
2643* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2644* [Bug 2763] Allow different thresholds for forward and backward steps.
2645* [Bug 2766] ntp-keygen output files should not be world-readable.
2646* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2647* [Bug 2771] nonvolatile value is documented in wrong units.
2648* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2649* [Bug 2774] Unreasonably verbose printout - leap pending/warning
2650* [Bug 2775] ntp-keygen.c fails to compile under Windows.
2651* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2652  Removed non-ASCII characters from some copyright comments.
2653  Removed trailing whitespace.
2654  Updated definitions for Meinberg clocks from current Meinberg header files.
2655  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2656  Account for updated definitions pulled from Meinberg header files.
2657  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2658  Replaced some constant numbers by defines from ntp_calendar.h
2659  Modified creation of parse-specific variables for Meinberg devices
2660  in gps16x_message().
2661  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2662  Modified mbg_tm_str() which now expexts an additional parameter controlling
2663  if the time status shall be printed.
2664* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2665* [Sec 2781] Authentication doesn't protect symmetric associations against
2666  DoS attacks.
2667* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2668* [Bug 2789] Quiet compiler warnings from libevent.
2669* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2670  pause briefly before measuring system clock precision to yield
2671  correct results.
2672* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2673* Use predefined function types for parse driver functions
2674  used to set up function pointers.
2675  Account for changed prototype of parse_inp_fnc_t functions.
2676  Cast parse conversion results to appropriate types to avoid
2677  compiler warnings.
2678  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2679  when called with pointers to different types.
2680
2681---
2682NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2683
2684Focus: Security and Bug fixes, enhancements.
2685
2686Severity: HIGH
2687
2688In addition to bug fixes and enhancements, this release fixes the
2689following high-severity vulnerabilities:
2690
2691* vallen is not validated in several places in ntp_crypto.c, leading
2692  to a potential information leak or possibly a crash
2693
2694    References: Sec 2671 / CVE-2014-9297 / VU#852879
2695    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2696    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2697    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2698    Summary: The vallen packet value is not validated in several code
2699             paths in ntp_crypto.c which can lead to information leakage
2700	     or perhaps a crash of the ntpd process.
2701    Mitigation - any of:
2702	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2703		or the NTP Public Services Project Download Page.
2704	Disable Autokey Authentication by removing, or commenting out,
2705		all configuration directives beginning with the "crypto"
2706		keyword in your ntp.conf file.
2707    Credit: This vulnerability was discovered by Stephen Roettger of the
2708    	Google Security Team, with additional cases found by Sebastian
2709	Krahmer of the SUSE Security Team and Harlan Stenn of Network
2710	Time Foundation.
2711
2712* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2713  can be bypassed.
2714
2715    References: Sec 2672 / CVE-2014-9298 / VU#852879
2716    Affects: All NTP4 releases before 4.2.8p1, under at least some
2717	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2718    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2719    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2720    Summary: While available kernels will prevent 127.0.0.1 addresses
2721	from "appearing" on non-localhost IPv4 interfaces, some kernels
2722	do not offer the same protection for ::1 source addresses on
2723	IPv6 interfaces. Since NTP's access control is based on source
2724	address and localhost addresses generally have no restrictions,
2725	an attacker can send malicious control and configuration packets
2726	by spoofing ::1 addresses from the outside. Note Well: This is
2727	not really a bug in NTP, it's a problem with some OSes. If you
2728	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2729	ACL restrictions on any application can be bypassed!
2730    Mitigation:
2731        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2732	or the NTP Public Services Project Download Page
2733        Install firewall rules to block packets claiming to come from
2734	::1 from inappropriate network interfaces.
2735    Credit: This vulnerability was discovered by Stephen Roettger of
2736	the Google Security Team.
2737
2738Additionally, over 30 bugfixes and improvements were made to the codebase.
2739See the ChangeLog for more information.
2740
2741---
2742NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
2743
2744Focus: Security and Bug fixes, enhancements.
2745
2746Severity: HIGH
2747
2748In addition to bug fixes and enhancements, this release fixes the
2749following high-severity vulnerabilities:
2750
2751************************** vv NOTE WELL vv *****************************
2752
2753The vulnerabilities listed below can be significantly mitigated by
2754following the BCP of putting
2755
2756 restrict default ... noquery
2757
2758in the ntp.conf file.  With the exception of:
2759
2760   receive(): missing return on error
2761   References: Sec 2670 / CVE-2014-9296 / VU#852879
2762
2763below (which is a limited-risk vulnerability), none of the recent
2764vulnerabilities listed below can be exploited if the source IP is
2765restricted from sending a 'query'-class packet by your ntp.conf file.
2766
2767************************** ^^ NOTE WELL ^^ *****************************
2768
2769* Weak default key in config_auth().
2770
2771  References: [Sec 2665] / CVE-2014-9293 / VU#852879
2772  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2773  Vulnerable Versions: all releases prior to 4.2.7p11
2774  Date Resolved: 28 Jan 2010
2775
2776  Summary: If no 'auth' key is set in the configuration file, ntpd
2777	would generate a random key on the fly.  There were two
2778	problems with this: 1) the generated key was 31 bits in size,
2779	and 2) it used the (now weak) ntp_random() function, which was
2780	seeded with a 32-bit value and could only provide 32 bits of
2781	entropy.  This was sufficient back in the late 1990s when the
2782	code was written.  Not today.
2783
2784  Mitigation - any of:
2785	- Upgrade to 4.2.7p11 or later.
2786	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2787
2788  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2789  	of the Google Security Team.
2790
2791* Non-cryptographic random number generator with weak seed used by
2792  ntp-keygen to generate symmetric keys.
2793
2794  References: [Sec 2666] / CVE-2014-9294 / VU#852879
2795  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2796  Vulnerable Versions: All NTP4 releases before 4.2.7p230
2797  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2798
2799  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2800  	prepare a random number generator that was of good quality back
2801	in the late 1990s. The random numbers produced was then used to
2802	generate symmetric keys. In ntp-4.2.8 we use a current-technology
2803	cryptographic random number generator, either RAND_bytes from
2804	OpenSSL, or arc4random().
2805
2806  Mitigation - any of:
2807  	- Upgrade to 4.2.7p230 or later.
2808	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2809
2810  Credit:  This vulnerability was discovered in ntp-4.2.6 by
2811  	Stephen Roettger of the Google Security Team.
2812
2813* Buffer overflow in crypto_recv()
2814
2815  References: Sec 2667 / CVE-2014-9295 / VU#852879
2816  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2817  Versions: All releases before 4.2.8
2818  Date Resolved: Stable (4.2.8) 18 Dec 2014
2819
2820  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2821  	file contains a 'crypto pw ...' directive) a remote attacker
2822	can send a carefully crafted packet that can overflow a stack
2823	buffer and potentially allow malicious code to be executed
2824	with the privilege level of the ntpd process.
2825
2826  Mitigation - any of:
2827  	- Upgrade to 4.2.8, or later, or
2828	- Disable Autokey Authentication by removing, or commenting out,
2829	  all configuration directives beginning with the crypto keyword
2830	  in your ntp.conf file.
2831
2832  Credit: This vulnerability was discovered by Stephen Roettger of the
2833  	Google Security Team.
2834
2835* Buffer overflow in ctl_putdata()
2836
2837  References: Sec 2668 / CVE-2014-9295 / VU#852879
2838  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2839  Versions: All NTP4 releases before 4.2.8
2840  Date Resolved: Stable (4.2.8) 18 Dec 2014
2841
2842  Summary: A remote attacker can send a carefully crafted packet that
2843  	can overflow a stack buffer and potentially allow malicious
2844	code to be executed with the privilege level of the ntpd process.
2845
2846  Mitigation - any of:
2847  	- Upgrade to 4.2.8, or later.
2848	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2849
2850  Credit: This vulnerability was discovered by Stephen Roettger of the
2851  	Google Security Team.
2852
2853* Buffer overflow in configure()
2854
2855  References: Sec 2669 / CVE-2014-9295 / VU#852879
2856  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2857  Versions: All NTP4 releases before 4.2.8
2858  Date Resolved: Stable (4.2.8) 18 Dec 2014
2859
2860  Summary: A remote attacker can send a carefully crafted packet that
2861	can overflow a stack buffer and potentially allow malicious
2862	code to be executed with the privilege level of the ntpd process.
2863
2864  Mitigation - any of:
2865  	- Upgrade to 4.2.8, or later.
2866	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2867
2868  Credit: This vulnerability was discovered by Stephen Roettger of the
2869	Google Security Team.
2870
2871* receive(): missing return on error
2872
2873  References: Sec 2670 / CVE-2014-9296 / VU#852879
2874  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2875  Versions: All NTP4 releases before 4.2.8
2876  Date Resolved: Stable (4.2.8) 18 Dec 2014
2877
2878  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2879  	the code path where an error was detected, which meant
2880	processing did not stop when a specific rare error occurred.
2881	We haven't found a way for this bug to affect system integrity.
2882	If there is no way to affect system integrity the base CVSS
2883	score for this bug is 0. If there is one avenue through which
2884	system integrity can be partially affected, the base score
2885	becomes a 5. If system integrity can be partially affected
2886	via all three integrity metrics, the CVSS base score become 7.5.
2887
2888  Mitigation - any of:
2889        - Upgrade to 4.2.8, or later,
2890        - Remove or comment out all configuration directives
2891	  beginning with the crypto keyword in your ntp.conf file.
2892
2893  Credit: This vulnerability was discovered by Stephen Roettger of the
2894  	Google Security Team.
2895
2896See http://support.ntp.org/security for more information.
2897
2898New features / changes in this release:
2899
2900Important Changes
2901
2902* Internal NTP Era counters
2903
2904The internal counters that track the "era" (range of years) we are in
2905rolls over every 136 years'.  The current "era" started at the stroke of
2906midnight on 1 Jan 1900, and ends just before the stroke of midnight on
29071 Jan 2036.
2908In the past, we have used the "midpoint" of the  range to decide which
2909era we were in.  Given the longevity of some products, it became clear
2910that it would be more functional to "look back" less, and "look forward"
2911more.  We now compile a timestamp into the ntpd executable and when we
2912get a timestamp we us the "built-on" to tell us what era we are in.
2913This check "looks back" 10 years, and "looks forward" 126 years.
2914
2915* ntpdc responses disabled by default
2916
2917Dave Hart writes:
2918
2919For a long time, ntpq and its mostly text-based mode 6 (control)
2920protocol have been preferred over ntpdc and its mode 7 (private
2921request) protocol for runtime queries and configuration.  There has
2922been a goal of deprecating ntpdc, previously held back by numerous
2923capabilities exposed by ntpdc with no ntpq equivalent.  I have been
2924adding commands to ntpq to cover these cases, and I believe I've
2925covered them all, though I've not compared command-by-command
2926recently.
2927
2928As I've said previously, the binary mode 7 protocol involves a lot of
2929hand-rolled structure layout and byte-swapping code in both ntpd and
2930ntpdc which is hard to get right.  As ntpd grows and changes, the
2931changes are difficult to expose via ntpdc while maintaining forward
2932and backward compatibility between ntpdc and ntpd.  In contrast,
2933ntpq's text-based, label=value approach involves more code reuse and
2934allows compatible changes without extra work in most cases.
2935
2936Mode 7 has always been defined as vendor/implementation-specific while
2937mode 6 is described in RFC 1305 and intended to be open to interoperate
2938with other implementations.  There is an early draft of an updated
2939mode 6 description that likely will join the other NTPv4 RFCs
2940eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
2941
2942For these reasons, ntpd 4.2.7p230 by default disables processing of
2943ntpdc queries, reducing ntpd's attack surface and functionally
2944deprecating ntpdc.  If you are in the habit of using ntpdc for certain
2945operations, please try the ntpq equivalent.  If there's no equivalent,
2946please open a bug report at http://bugs.ntp.org./
2947
2948In addition to the above, over 1100 issues have been resolved between
2949the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
2950lists these.
2951
2952---
2953NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
2954
2955Focus: Bug fixes
2956
2957Severity: Medium
2958
2959This is a recommended upgrade.
2960
2961This release updates sys_rootdisp and sys_jitter calculations to match the
2962RFC specification, fixes a potential IPv6 address matching error for the
2963"nic" and "interface" configuration directives, suppresses the creation of
2964extraneous ephemeral associations for certain broadcastclient and
2965multicastclient configurations, cleans up some ntpq display issues, and
2966includes improvements to orphan mode, minor bugs fixes and code clean-ups.
2967
2968New features / changes in this release:
2969
2970ntpd
2971
2972 * Updated "nic" and "interface" IPv6 address handling to prevent
2973   mismatches with localhost [::1] and wildcard [::] which resulted from
2974   using the address/prefix format (e.g. fe80::/64)
2975 * Fix orphan mode stratum incorrectly counting to infinity
2976 * Orphan parent selection metric updated to includes missing ntohl()
2977 * Non-printable stratum 16 refid no longer sent to ntp
2978 * Duplicate ephemeral associations suppressed for broadcastclient and
2979   multicastclient without broadcastdelay
2980 * Exclude undetermined sys_refid from use in loopback TEST12
2981 * Exclude MODE_SERVER responses from KoD rate limiting
2982 * Include root delay in clock_update() sys_rootdisp calculations
2983 * get_systime() updated to exclude sys_residual offset (which only
2984   affected bits "below" sys_tick, the precision threshold)
2985 * sys.peer jitter weighting corrected in sys_jitter calculation
2986
2987ntpq
2988
2989 * -n option extended to include the billboard "server" column
2990 * IPv6 addresses in the local column truncated to prevent overruns
2991
2992---
2993NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
2994
2995Focus: Bug fixes and portability improvements
2996
2997Severity: Medium
2998
2999This is a recommended upgrade.
3000
3001This release includes build infrastructure updates, code
3002clean-ups, minor bug fixes, fixes for a number of minor
3003ref-clock issues, and documentation revisions.
3004
3005Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3006
3007New features / changes in this release:
3008
3009Build system
3010
3011* Fix checking for struct rtattr
3012* Update config.guess and config.sub for AIX
3013* Upgrade required version of autogen and libopts for building
3014  from our source code repository
3015
3016ntpd
3017
3018* Back-ported several fixes for Coverity warnings from ntp-dev
3019* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3020* Allow "logconfig =allall" configuration directive
3021* Bind tentative IPv6 addresses on Linux
3022* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3023* Improved tally bit handling to prevent incorrect ntpq peer status reports
3024* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3025  candidate list unless they are designated a "prefer peer"
3026* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3027  selection during the 'tos orphanwait' period
3028* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3029  drivers
3030* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3031* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3032* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3033  clock slew on Microsoft Windows
3034* Code cleanup in libntpq
3035
3036ntpdc
3037
3038* Fix timerstats reporting
3039
3040ntpdate
3041
3042* Reduce time required to set clock
3043* Allow a timeout greater than 2 seconds
3044
3045sntp
3046
3047* Backward incompatible command-line option change:
3048  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3049
3050Documentation
3051
3052* Update html2man. Fix some tags in the .html files
3053* Distribute ntp-wait.html
3054
3055---
3056NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3057
3058Focus: Bug fixes and portability improvements
3059
3060Severity: Medium
3061
3062This is a recommended upgrade.
3063
3064This release includes build infrastructure updates, code
3065clean-ups, minor bug fixes, fixes for a number of minor
3066ref-clock issues, and documentation revisions.
3067
3068Portability improvements in this release affect AIX, Atari FreeMiNT,
3069FreeBSD4, Linux and Microsoft Windows.
3070
3071New features / changes in this release:
3072
3073Build system
3074* Use lsb_release to get information about Linux distributions.
3075* 'test' is in /usr/bin (instead of /bin) on some systems.
3076* Basic sanity checks for the ChangeLog file.
3077* Source certain build files with ./filename for systems without . in PATH.
3078* IRIX portability fix.
3079* Use a single copy of the "libopts" code.
3080* autogen/libopts upgrade.
3081* configure.ac m4 quoting cleanup.
3082
3083ntpd
3084* Do not bind to IN6_IFF_ANYCAST addresses.
3085* Log the reason for exiting under Windows.
3086* Multicast fixes for Windows.
3087* Interpolation fixes for Windows.
3088* IPv4 and IPv6 Multicast fixes.
3089* Manycast solicitation fixes and general repairs.
3090* JJY refclock cleanup.
3091* NMEA refclock improvements.
3092* Oncore debug message cleanup.
3093* Palisade refclock now builds under Linux.
3094* Give RAWDCF more baud rates.
3095* Support Truetime Satellite clocks under Windows.
3096* Support Arbiter 1093C Satellite clocks under Windows.
3097* Make sure that the "filegen" configuration command defaults to "enable".
3098* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3099* Prohibit 'includefile' directive in remote configuration command.
3100* Fix 'nic' interface bindings.
3101* Fix the way we link with openssl if openssl is installed in the base
3102  system.
3103
3104ntp-keygen
3105* Fix -V coredump.
3106* OpenSSL version display cleanup.
3107
3108ntpdc
3109* Many counters should be treated as unsigned.
3110
3111ntpdate
3112* Do not ignore replies with equal receive and transmit timestamps.
3113
3114ntpq
3115* libntpq warning cleanup.
3116
3117ntpsnmpd
3118* Correct SNMP type for "precision" and "resolution".
3119* Update the MIB from the draft version to RFC-5907.
3120
3121sntp
3122* Display timezone offset when showing time for sntp in the local
3123  timezone.
3124* Pay proper attention to RATE KoD packets.
3125* Fix a miscalculation of the offset.
3126* Properly parse empty lines in the key file.
3127* Logging cleanup.
3128* Use tv_usec correctly in set_time().
3129* Documentation cleanup.
3130
3131---
3132NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3133
3134Focus: Bug fixes and portability improvements
3135
3136Severity: Medium
3137
3138This is a recommended upgrade.
3139
3140This release includes build infrastructure updates, code
3141clean-ups, minor bug fixes, fixes for a number of minor
3142ref-clock issues, improved KOD handling, OpenSSL related
3143updates and documentation revisions.
3144
3145Portability improvements in this release affect Irix, Linux,
3146Mac OS, Microsoft Windows, OpenBSD and QNX6
3147
3148New features / changes in this release:
3149
3150ntpd
3151* Range syntax for the trustedkey configuration directive
3152* Unified IPv4 and IPv6 restrict lists
3153
3154ntpdate
3155* Rate limiting and KOD handling
3156
3157ntpsnmpd
3158* default connection to net-snmpd via a unix-domain socket
3159* command-line 'socket name' option
3160
3161ntpq / ntpdc
3162* support for the "passwd ..." syntax
3163* key-type specific password prompts
3164
3165sntp
3166* MD5 authentication of an ntpd
3167* Broadcast and crypto
3168* OpenSSL support
3169
3170---
3171NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3172
3173Focus: Bug fixes, portability fixes, and documentation improvements
3174
3175Severity: Medium
3176
3177This is a recommended upgrade.
3178
3179---
3180NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3181
3182Focus: enhancements and bug fixes.
3183
3184---
3185NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3186
3187Focus: Security Fixes
3188
3189Severity: HIGH
3190
3191This release fixes the following high-severity vulnerability:
3192
3193* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3194
3195  See http://support.ntp.org/security for more information.
3196
3197  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3198  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3199  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3200  request or a mode 7 error response from an address which is not listed
3201  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3202  reply with a mode 7 error response (and log a message).  In this case:
3203
3204	* If an attacker spoofs the source address of ntpd host A in a
3205	  mode 7 response packet sent to ntpd host B, both A and B will
3206	  continuously send each other error responses, for as long as
3207	  those packets get through.
3208
3209	* If an attacker spoofs an address of ntpd host A in a mode 7
3210	  response packet sent to ntpd host A, A will respond to itself
3211	  endlessly, consuming CPU and logging excessively.
3212
3213  Credit for finding this vulnerability goes to Robin Park and Dmitri
3214  Vinokurov of Alcatel-Lucent.
3215
3216THIS IS A STRONGLY RECOMMENDED UPGRADE.
3217
3218---
3219ntpd now syncs to refclocks right away.
3220
3221Backward-Incompatible changes:
3222
3223ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3224Use '--var name' or '--dvar name' instead. (Bug 817)
3225
3226---
3227NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3228
3229Focus: Security and Bug Fixes
3230
3231Severity: HIGH
3232
3233This release fixes the following high-severity vulnerability:
3234
3235* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3236
3237  See http://support.ntp.org/security for more information.
3238
3239  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3240  line) then a carefully crafted packet sent to the machine will cause
3241  a buffer overflow and possible execution of injected code, running
3242  with the privileges of the ntpd process (often root).
3243
3244  Credit for finding this vulnerability goes to Chris Ries of CMU.
3245
3246This release fixes the following low-severity vulnerabilities:
3247
3248* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3249  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3250
3251* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3252  Credit for finding this issue goes to Dave Hart.
3253
3254This release fixes a number of bugs and adds some improvements:
3255
3256* Improved logging
3257* Fix many compiler warnings
3258* Many fixes and improvements for Windows
3259* Adds support for AIX 6.1
3260* Resolves some issues under MacOS X and Solaris
3261
3262THIS IS A STRONGLY RECOMMENDED UPGRADE.
3263
3264---
3265NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3266
3267Focus: Security Fix
3268
3269Severity: Low
3270
3271This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3272the OpenSSL library relating to the incorrect checking of the return
3273value of EVP_VerifyFinal function.
3274
3275Credit for finding this issue goes to the Google Security Team for
3276finding the original issue with OpenSSL, and to ocert.org for finding
3277the problem in NTP and telling us about it.
3278
3279This is a recommended upgrade.
3280---
3281NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3282
3283Focus: Minor Bugfixes
3284
3285This release fixes a number of Windows-specific ntpd bugs and
3286platform-independent ntpdate bugs. A logging bugfix has been applied
3287to the ONCORE driver.
3288
3289The "dynamic" keyword and is now obsolete and deferred binding to local
3290interfaces is the new default. The minimum time restriction for the
3291interface update interval has been dropped.
3292
3293A number of minor build system and documentation fixes are included.
3294
3295This is a recommended upgrade for Windows.
3296
3297---
3298NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3299
3300Focus: Minor Bugfixes
3301
3302This release updates certain copyright information, fixes several display
3303bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3304shutdown in the parse refclock driver, removes some lint from the code,
3305stops accessing certain buffers immediately after they were freed, fixes
3306a problem with non-command-line specification of -6, and allows the loopback
3307interface to share addresses with other interfaces.
3308
3309---
3310NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3311
3312Focus: Minor Bugfixes
3313
3314This release fixes a bug in Windows that made it difficult to
3315terminate ntpd under windows.
3316This is a recommended upgrade for Windows.
3317
3318---
3319NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3320
3321Focus: Minor Bugfixes
3322
3323This release fixes a multicast mode authentication problem,
3324an error in NTP packet handling on Windows that could lead to
3325ntpd crashing, and several other minor bugs. Handling of
3326multicast interfaces and logging configuration were improved.
3327The required versions of autogen and libopts were incremented.
3328This is a recommended upgrade for Windows and multicast users.
3329
3330---
3331NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3332
3333Focus: enhancements and bug fixes.
3334
3335Dynamic interface rescanning was added to simplify the use of ntpd in
3336conjunction with DHCP. GNU AutoGen is used for its command-line options
3337processing. Separate PPS devices are supported for PARSE refclocks, MD5
3338signatures are now provided for the release files. Drivers have been
3339added for some new ref-clocks and have been removed for some older
3340ref-clocks. This release also includes other improvements, documentation
3341and bug fixes.
3342
3343K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3344C support.
3345
3346---
3347NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3348
3349Focus: enhancements and bug fixes.
3350